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memorandum  for 

ASSISTAOTSECRETARY  OF  THE  NAVY  (FINANCIAL 
MANAGEMENT  AND  COMPTROLLER) 

DIRECTOR,  DEFENSE  FINANCE  AND  ACCOUNTING 
SERVICE 

SUBJECT:  Audit  Report  on  Internal  Controls  for  the  Military  SealiftCommand 
Portion  of  the  Transportation  Business  Area  of  the  FY  1994  Defense 
Business  Operations  Fund  Financial  Statements  (Report  No.  95-255*) 

We  are  providing  this  report  for  review  and  comments.  Die  audit  was 
conducted  in  response  to  the  Chief  Financial  Officers  Act  of  1990.  Management 
comments  on  a  draft  of  this  report  were  considered  in  preparing  the  final  report. 

DoD  Directive  7650.3  requires  that  all  audit  recommendations  be  resolved 
promptly.  The  comments  we  received  from  the  Military  Sealift  Command  were  not 
fiilly  responsive.  Therefore,  we  request  that  the  Military  Sealift  Comnmd  provide, 
additional  comments  on  Recommendations  A.I.,  A.5M  A.6.,  A.7.,  A.o.,  v. j., 
and  B.7.  by  August  28,  1995.  Recommendations  are  subject  to  resolution  in 
accordance  with  DoD  Directive  7650.3  in  the  event  of  nonconcurrence  or  failure  to 
comment. 

The  courtesies  extended  to  the  audit  staff  arc  appreciated.  Questions  on  this 
audit  should  be  directed  to  Mr.  Raymond  D.  Kidd,  Audit  Program  Dir^tw,  at 
(703)  604-9110  (DSN  664-9110),  or  Ms.  Barbara  A.  Sauls,  Audit  Project  Manager,  at 
(703)  604-9129  (DSN  664-9129).  See  Appendix  G  for  the  report  distribution.  The 
audit  team  members  are  listed  inside  the  back  cover. 


Robert  J.  Lieberman 
Assistant  Inspector  General 
for  Auditing 
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Internal  Controls  for  the  Military  Sealift  Command  Portion 
of  the  Transportation  Business  Area  of  the  FY 1994  Defense 
Business  Operations  Fund  Financial  Statements 


Executive  Summary 

Introduction.  The  United  States  Transportation  Command  integrates  global  air,  land, 
and  sea  transportation  operations,  which  are  financed  through  the  Defense  Business 
Operations  Fund.  In  FY  1994,  the  United  States  Transportation  Command  reported 
revenues  of  $5.8  billion,  operating  expenses  of  $5.7  billion,  and  a  positive  net 
operating  result  of  $152.2  mSion.  In  FY  1994,  the  United  States  Transportation 
Command  and  its  three  components,  the  Military  Traffic  Management  Command,  the 
Military  Sealift  Command,  and  the  Air  Mobility  Command,  reported  assets  valued  at 
$3.2  billion  and  had  an  authorized  total  of  about  76,000  military  and  civilian  personnel. 
The  Military  Sealift  Command  provides  sea  transportation  of  equipment,  supplies,  and 
ammunition  to  sustain  United  States  forces  worldwide.  During  FY  1994,  its  reported 
assets  were  valued  at  $2.2  billion. 


Audit  Objectives.  The  primary  audit  objective  was  to  determine  whether  the  FY  1994 
Statement  of  Financial  Position  was  presented  fairly  in  accordance  with  Office  at 
Management  and  Budget  Bulletin  No.  94-01,  "Form  and  Content  of  Agency  Financial 
Statements,"  November  16,  1993.  The  objective  was  revised  to  determine  whether 
internal  controls  at  the  Military  Sealift  Command  ensured  accurate  account  balances  on 
the  Military  Sealift  Command's  FY  1994  Statement  of  Financial  Position.  In  addition, 
we  reviewed  the  management  control  program  at  the  Military  Sealift  Command.  The 
Air  Force  Audit  Agency,  in  a  separate  project,  determined  whether  the  mtemal  rontwta 
at  the  Air  Mobility  Command  ensured  accurate  account  balances  on  its  FY199* 
Statement  of  Financial  Position.  The  financial  data  for  the  Military  Traffic 
Management  Command  were  not  material  to  the  United  States  Transportation 
Command’s  financial  statements,  and  therefore  were  not  audited. 


Audit  Results.  Internal  controls  at  the  Military  Sealift  Command  were  not  adequate  to 
establish  the  transaction  trail  from  the  account  balances  to  underlying  transactions 
supporting  the  Military  Sealift  Command's  FY  1994  Statement  of  Financial  Postot*. 
In  addition,  general  controls  associated  with  access  and  accountability  over  the  Unit 
Level  Billing  System's  application  programs  and  data  were  ineffective.  We  consider 
these  weaknesses  material.  However,  the  Military  ^  Sealift  Command  implemented 
system  and  computer  security  changes  that  should  improve  internal  controls.  Sae 
Appendix  A  for  a  discussion  of  our  review  of  the  management  control  program. 

o  The  accounting  and  related  systems  at  the  Military  Sealift  Command  did  not 
fully  comply  with  accounting  principles,  standards,  and  policies;  did  not  use  the  DoD 
Standard  General  Ledger  chart  of  accounts;  did  not  maximize  the  use  of  standard  data 
processing;  did  not  make  the  most  efficient  use  of  date  processing  and  accounting 
methodology;  and  did  not  produce  auditable  financial  statements.  The  control 
environment  at  the  Military  Sealift  Command  lessened  the  effectiveness  of  existing 
policies  and  procedures.  The  Military  Sealift  Command  did  not  have  the  control 
procedures  needed  to  assure  management  that  material  errors  were  detected  promptly. 
As  a  result,  we  could  not  establish  a  transaction  trail  from  the  Accounts  Receivable 
account  balance  of  $301.4  million  and  the  Accrued  Expenses  account  balance  of 


$598.2  million,  as  shown  on  the  Military  Sealift  Command's  FY  1994  Statement  of 
Financial  Position,  to  the  transactions  supporting  the  account  balances.  However,  the 
Military  Sealift  Command  made  system  changes  that  should  improve  the  financial 
reporting  process  (Finding  A). 

o  The  Military  Sealift  Command  did  not  have  effective  general  controls  for 
access  and  accountability  over  the  Unit  Level  Billing  System's  application  programs 
and  data.  As  a  result,  at  least  31  users  had  the  ability  to  alter  programs  and  data  in  the 
Unit  Level  Billing  System  without  detection,  and  at  least  7  user  identification  codes  ot 
unauthorized  personnel  were  in  use.  The  Military  Sealift  Command  took  prompt  action 
to  correct  the  problems  with  user  identification  codes  (Finding  B). 

Strengthening  internal  controls  over  the  accounting  and  related  systems  and  computer 
security  win  improve  financial  reporting  and  reduce  the  vulnerability  of  programs  and 
data  to  unauthorized  access  (Appendix  E). 

Summary  of  Hffoww^ndatinns.  We  recommend  that  the  Commander,  Military 
Sealift  Command,  comply  with  DoD  and  Navy  regulations  on  internal  controls  and 
computer  security,  review  new  systems  to  see  whether  improvements  have  been  made, 
validate  the  data  produced  by  the  systems,  and  train  the  personnel  working  on  them,  in 
oHHitinn  the  Military  Sealift  Command  should  develop  standard  operating  procedures 
for  the’  Accounting  Division,  tighten  computer  security,  and  provide  more 
comprehensive  security  training  and  supervision  to  security  officers. 

Management  Comments  and  Audit  Response.  The  Military  Sealift  Command 
generally  concurred  with  the  recommendations;  however,  we  did  not  consider  the 
comments  fully  responsive.  The  Military  Sealift  Command  agreed  to  comply  with 
DoD  and  Navy  regulations  on  the  internal  controls  related  to  financial  data,  but  did  not 
clearly  state  what  measures  would  be  implemented.  We  request  additional  comments 
on  how  the  Military  Sealift  Command  intends  to  improve  the  crosswalk  to  the  DoD 
Standard  General  Ledger,  validate  data  used  to  accrue  expenses,  establish  standard 
operating  procedures  for  the  Accounting  Division,  and  determine  the  training  needs  of 
operations  and  security  personnel.  Although  the  Military  Sealift  Command  concurred 
with  the  recommendations  to  improve  computer  security,  we  did  not  consider  the 
planned  actions  to  be  responsive.  We  request  that  the  Military  Sealffi  Command 
reconsider  the  completion  dates  required  to  implement  the  recommoidations.  See 
Part  I  for  a  complete  discussion  of  management's  comments,  and  Part  III  for  the  text  ot 
the  comments.  We  request  that  the  Military  Sealift  Command  provide  additional 
comments  by  August  28,  1995. 
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Part  I  -  Audit  Results 


Audit  Background 


On  October  1,  1992,  the  Under  Secretary  of  Defense  (ComgroUer)  (to  Ae 
Comptroller  of  the  Department  of  Defense)  incorporated  the  United  States 
Transportation  Command  (USTRANSCOM)  into  the  Defense  Business 
Operations  Fund  (DBOF),  a  revolving  fund.  The  Secretary  of  Defense  tad 
established  USTRANSCOM  in  April  1987  as  a  unified  command  to  integrate 
global  air,  land,  and  sea  transportation  during  wartime.  In  1992, 
ITSTRANSCOM's  role  expanded  to  include  a  peacetime  mission. 

at  Scott  Air  ^Base,  Illinois,  USTRANSCOM  executes  its 
mission  through  three  transportation  components:  the  Miktaiy  Traffic 
Management  Command  (MTMC),  Falls  Church,  Virguua;  die s  Military '  Sgtift 
Command  (MSC),  Washington,  D.  C.;  and  the  Air  Mobility  Command,  Scott 
Air  Force  Base,  Illinois. 

In  FY  1994,  USTRANSCOM  reported  revenues  of  $5.8  billion,  operating 
expenses  of  $5.7  tuition,  and  a  positive  net  operating  rewit  of  $152.2  nultion 
USTRANSCOM  and  its  components  reported  assets  valued  at  $3.2  billion,  ana 
have  an  authorized  total  ofabout  76,000  military  and  civilian  personnel. 
USTRANSCOM,  as  .manager  of  the  DBOF  Transportation  Business  Area, 
provides  management  oversight  of  its  components'  budgets,  mission  operations, 
and  financial  systems.  USTRANSCOM  participates  in  all  accounting  and 
financial  issues  concerning  its  components. 

The  Military  Sealift  Command  provides  sea  transportation  of equipment, 
supplies,  and  ammunition  to  sustain  United  States  forces  worldwide.  During 
FY  1994,  its  reported  assets  were  valued  at  $2.2  billion. 

The  Defense  Finance  and  Accounting  Service  (DF  AS)  andits 
Accounting  Offices  perform  accounting  functions  for  USTRANSCOM  and  its 
components.  DFAS  Denver  Center  is  the  consolidating  ^  office  for 
USTRANSCOM  and  prepares  the  financial  statements  required  by  the  CFO 
Act.  This  audit  was  conducted  in  response  to  the  CFO  Act. 


Audit  Objectives 

Our  primary  objective  was  to  determine  whether  the  FY  1994  Statement  of 
Financial  Position  was  presented  fairly  in  accordance  with  Office  of 
Management  and  Budget  Bulletin  No.  94-01,  "Form  and  Content  of  Agency 
Financial  Statements,"  November  16, 1993. 

During  the  audit,  the  DoD  Chief  Financial  Officer  and  audit  communities 
dfHHpd  to  emulate  successful  private  sector  business  practices  and  move  to  a 
corporate  audit  approach  for  DBOF.  As  a  result,  an  audit  opinion  will  be 
expressed  on  DBOF  as  a  whole,  but  not  on  the  financial  statements  of 
USTRANSCOM  or  other  subentities.  The  USTRANSCOM  FY  1993  Statement 
of  Financial  Position  was  our  basis  for  the  preliminary  estimate  of  materiality. 


Audit  Results 


The  four  material  accounts  selected  for  review  were  Accounts  Receivable; 
Property,  Plant,  and  Equipment;  Accounts  Payable;  and  Other  Non-Federal 
liabilities.  The  review  showed  that  MSC  and  the  Air  Mobility  Command  made 
up  $2.7  billion  out  of  $3. 1  billion  reported  on  the  USTRANSCOM  FY  1993 
financial  statements  for  the  four  selected  accounts.  As  a  result,  we  revised  our 
audit  approach  to  concentrate  on  the  MSC  component  of  USTRANSCOM.  The 
audit  concentrated  on  internal  controls  as  related  to  the  financial  and  accounting 
systems  and  the  preparation  of  the  financial  statements;  therefore,  we  did  not 
perform  substantive  testing  of  the  transactions  supporting  the  selected  accounts. 
We  did  not  recommend  adjustments  to  the  account  balances  or  quantify  the 
dollar  effect  of  identified  internal  control  problems. 


See  Appendix  A  for  a  discussion  of  the  audit  scope,  methodology,  and  coverage 
of  the  management  control  program.  Appendix  B  discusses  prior  audit  coverage 
of  the  financial  aspects  of  military  transportation. 
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Finding  A.  Internal  Control 
Structure 

The  internal  control  structure  at  MSC  did  not  provide  reasonable 
assurance  of  achieving  the  internal  control  objectives  m  ,DoD  D^ecUve 
5010.38,  "Internal  Management  Control  Program,  April  14,  1987,  and 
DoD  Regulation  7000. 14-R,  "DoD  Financial  Management,  Volume  1, 
"General  Financial  Management  Information,  Systems,  and 
Requirements,"  May  1993.  Consequently,  the  control  risks  were  high 
because  of  material  weaknesses  in  the  accounting  and  related  systems 
producing  the  financial  statements;  an  inadequate  control  environment, 
including  management’s  lack  of  emphasis  on  training;  and  ineffective 
control  procedures  needed  to  assure  management  that  material  errors 
were  detected  promptly.  As  a  result,  we  could  not  establish  a 
transaction  trail  from  the  Accounts  Receivable  account  balance  of 
$301.4  million  and  the  Accrued  Expenses  account  balance  of 
$598.2  million,  as  shown  on  the  MSC  FY  1994  Statement  of  Financial 
Position,  to  the  transactions  supporting  the  account  balances. 


Internal  Control  Responsibilities 

DoD  Directive  5010.38  states  the  objectives  of  internal  controls.  One  important 
objective  of  internal  controls  is  to  provide  reasonable  assurance  that  revenues 
and  expenditures  applicable  to  agency  operations  are  recorded  and  accounted  for 
properly,  so  that  accounts  and  reliable  financial  and  statistical  reports  may  be 
prepared’  and  accountability  for  assets  may  be  maintained.  Management  is 
responsible  for  establishing  and  maintaining  an  effective  internal  contro 
structure.  To  fulfill  this  responsibility,  management  estimates  and  judges  the 
expected  benefits  and  related  costs  of  internal  control  structure  policies  and 
procedures.  The  internal  control  structure  for  management's  accounting  or 
financial  information  comprises  the  accounting  and  related  systems,  control 
environment,  and  control  procedures. 


Accounting  and  Related  Systems 

MSC  could  not  provide  reasonable  assurance  that  the  FY  1994  financial 
statements  properly  reflected  its  operations.  Assurance  was  kicking  because  the 
accounting  and  related  systems  did  not  fully  comply  with  DoD  Regulation 
7000. 14-R.  Manual  and  automated  systems  did  not: 

o  fully  comply  with  accounting  principles,  standards,  and  policies; 

o  use  the  DoD  Standard  General  Ledger  chart  of  accounts; 
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o  maximize  the  use  of  standard  data  processing; 

o  mate  the  most  efficient  use  of  data  processing  and  accounting 
methodology;  or 

o  produce  auditable  financial  statements. 

As  a  result,  management  could  not  establish  a  transaction  trail  from  the  account 
balances  for  Accounts  Receivable  and  Accrued  Expenses  to  underlying 
transactions  supporting  the  MSC  FY  1994  Statement  of  Financial  Position. 

DoD-Wide  financial  Management  System.  In  addition  to  establishing  the 
requirements  for  the  DoD  accounting  systems,  DoD  Regulation  7000. 14~R 
made  the  CFO,  DoD,  responsible  for  developing  and  implementing  DoD-wide 
financial  management  systems.  Because  of  the  magnitude  of  that  effort,  the 
CFO,  DoD,  made  Headquarters,  DFAS,  responsible  for  identifying  and 
nominating  migratory  accounting  and  financial  systems  until  DoD-wide  systems 
could  be  developed.  A  DoD-wide  system  should  support  the  DBOF  concept  of 
providing  information  on  a  real-time  basis.  To  satisfy  the  requirement  for  an 
accounting  system  and  other  needs  of  the  DBOF  concept,  the  Secretary  of 
Defense  established  the  DBOF  Corporate  Board  and  made  the  Board  responsible 
for  developing  policies  and  procedures  and  recommending  actions  to  support 
DBOF  financial  management  systems. 

To  develop  interim  systems,  DFAS  Headquarters  reviewed  and  evaluated  four 
financial  management  systems  for  the  Transportation  Business  Area:  the  Corps 
of  Engineers  Financial  Management  System;  the  Financial  Management 
Information  System  (FMIS);  the  Job  Order  Cost  Accounting  System  II;  and  the 
Standard  Industrial  Fund  System.  In  September  1994,  DFAS  submitted  a 
"Report  on  the  Comparative  Evaluation  of  the  Candidate  Interim  Migratory 
Systems  for  the  Transportation  Business  Area"  to  the  DBOF  Corporate  Board. 
In  the  report,  DFAS  nominated  FMIS,  the  accounting  system  used  at  MSC,  as 
the  interim  migratory  system.  However,  no  consensus  existed  among  Board 
members  on  whether  to  accept  or  reject  FMIS.  As  a  result,  on 
December  19,  1994,  the  CFO  tasked  DFAS  Headquarters  to  perform  a 
functional  economic  analysis  between  FMIS  and  the  Caps  of  Engineers 
Financial  Management  System  to  determine  the  most  appropriate  interim 
migratory  system  for  the  Transportation  Business  Area.  The  results  of  die 
analysis  are  expected  by  September  1995.  Until  the  DBOF  Corporate  Board 
decides  on  an  interim  system,  MSC  and  the  other  components  of 
USTRANSCOM  will  continue  to  use  their  current  systems.  MSC  has 
implemented  changes  to  FMIS  and  related  systems;  those  changes  should 
improve  internal  controls. 

Financial  Management  Information  System.  At  MSC  Headquarters,  wc 
reviewed  FMIS,  an  accounting  and  financial  management  information  system 
that  supports  DBOF  Transportation  and  DBOF  Navy  areas  at  MSC 
Headquarters  and  its  Area  Commands.  FMIS  was  developed  in  1989  and 
implemented  in  1993,  and  is  operated  at  the  Defense  Information  Processing 
Center  in  Washington,  D.C.  FMIS  uses  commercial  off-the-shelf  technology 
that  includes  continual  upgrades  and  contract  support.  Complementary  modules 
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can  be  integrated  as  needed.  In  addition  to  the  General  ledger  and  Accounts 
Payable  (PAYS)  modules  already  in  use,  projected  modules  for  FMIS  include 
Accounts  Receivable;  Funds  Tracking;  Revalue  and  Mission  Workload;  Cost 
Accounting  and  Accruals;  and  Budget  Preparation  and  Execution. 

FMIS  consists  of  subsystems  that  provide  data,  either  directly  or  indirectly 
through  personal  computer  interfaces,  to  the  General  Ledger.  The  General 
Ledger  captures  all  data  entries  and  produces  the  figures  for  the  financial 
statements  The  Unit  Level  Billing  System  (ULB)  and  the  Revenue  Lift  System 
produce  the  actual  and  accrued  revenue  ana  generate  the  Accounts  Receivable 
balances.  The  manual  Accounts  Receivable  tracking  system  updates  billing 
status  and  collection  changes  to  the  Accounts  Receivable  balance.  FMIS 
Gateway  edits  and  processes  computer  files  from  the  ULB  as  well  as  the  manual 
data  from  the  property,  plant,  and  equipment  spreadsheets.  The  edits  and 
checks  take  plwr  before  the  data  enter  the  General  Ledger  and  at  the  General 
Ledger. 

Until  FY  1995,  MSC  Pacific  used  the  Financial  Information  System  (FINIS)  to 
process  and  calculate  Accrued  Cargo  Expenses  such  as  Shipping 
Agreements/Contracts  Container.  FINIS  has  been  replaced  by  the  Cargo 
Accrual  System  (CARS),  which  also  calculates  Accrued  Cargo  Expenses.  On 
the  operational  side,  the  Vessel  Information  Planning  and  Analysis  System 
(VIPS)  at  MSC  Headquarters  is  a  feeder  system  that  provides  data  needed  to 
(»airiiigtf».  and  accrue  other  Accrued  Expenses,  which  include  fuel  expense, 
charter  costs,  port  charges,  tolls,  and  miscellaneous  expenses  such  as  ship 
activation  and  deactivation.  The  manual  system  for  processing  ^  Accrued 
Expenses  generates  and  tracks  those  Accrued  Expenses  not  produced  by  FINIS 
or  CARS. 


Appendix  D  shows  the  system  interfaces  and  describes  the  systems  reviewed  at 
MSC  Headquarters.  The  appendix  shows  the  automated  relationship  among  the 
MSC  Area  Commands;  MTMC  and  the  Navy  ports;  and  the  ULB,  Revenue 
Lift,  and  FMIS  Gateway  systems. 

General  Ledger.  The  FMIS  General  Ledger  did  not  conform  to  the 
DoD  Standard  General  Ledger  chart  of  accounts  as  required  by  DoD  Regulation 
7000  1 4-R  The  FMIS  General  Ledger  was  an  off-the-shelf  module  that  had  not 
been  adapted  to  meet  DoD  requirements.  MSC  uses  Service-unique  charts  of 
accounts  that  must  be  cross  walked  to  the  Standard  General  Ledger  to  prepare 
CFO  financial  statements  and  management  reports.  MSC  found  it  difficult  to 
certify  the  reliability  of  the  DFAS-prepared  financial  statements  because  a  one- 
to-one  relationship  did  not  exist  between  the  MSC  chart  of  accounts  and  the 
Standard  General  Ledger  chart  of  accounts.  MSC  found  that  transactions  were 
not  always  properly  recorded  and  accounted  for,  and  the  account  balances  in  the 
financial  statements  could  not  be  traced  back  to  the  General  Ledger  or  the 
original  source  documents.  To  comply  with  the  DoD  requirement,  the  General 
Ledger  must  be  adapted  to  use  the  DoD  Standard  General  Ledger  chart  of 
accounts. 


Tracking  and  Reconciling  of  Accounts  Receivable.  MSC  recognized  that  the 
manual  tracking  and  reconciling  of  Accounts  Receivable  did  not  make  the  most 
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efficient  use  of  data  processing  and  accounting  methodology,  and  did  notfoUy 
comolv  with  Do D  accounting  principles,  standards,  and  policies.  As  a  result, 
MSC  developed  an  interim  Accounts  Receivable  system  that  should  improve  the 
nrocess  Processing  at  least  300  transactions  per  month  manually  rather  than 
LtomaticaUy Sdnot  allow  for  prompt  tracking  of  Accounts  Receivable.  The 
delay  in  tracking  Accounts  Receivable  prevented  accurate  and  timely  report^ 
erf  information  needed  to  age  the  accounts.  MSC  expects  to  alleviate  the 


m  ■  i  m  smvi  u  a 


DoD  requirements  to  establish  an  Allowance  for  Loss  on  Accounts  Receivable 
and  toage  Accounts  Receivable  based  on  actual  data.  The  lack  of 
for  uncollectibles  prevented  foil  disclosure  of  the  financial  situation.  MSC  aged 
Accounts  Receivable  based  cm  estimated  data.  These  shortcomings  led  to 
unreliable  information. 

Unit  Level  ™«"g  System.  The  ULB  is  the  MSC  billing  system  for  dry 
it  electronically  collects  transportation  data  from  the  Area  Commands 


n  (2 


billing  amount  for  the  sponsor.  As  shown  in  Appendix  D,  the  ULB 
Revenue  Tift  System  transfer  revenue  data  through  personal  computers  to  FM1S 
Gateway.  Wi&in  FWS  Gateway,  coding  takes  place  to  credit  the  Revenue 
account  and  debit  the  Accounts  Receivable  account  for  the  revenue  «noufo» 
the  i^pgf  During  j t  limited  review,  wc  did  not  identify  umtentt 

errors  in  the  Accounts  Receivable  process.  Problems  in  timelmess  and 
efficiency  occurred  with  tracking  receivables  from  unbilled  to  billed  to 
collected. 

Use  of  Manual  Date  Processing.  The  manual  tracking  of  an  average  of 
300  Accounts  transactions  each  month  was  inefficient.  MSC 

nersonnel  tracked  the  data  on  personal  computer  spreadsheets  because  no 
had  tee.  dwtocwL  I,£.300f 

approximately  100  entries  of  unbilled,  100  entries  of  foiled,  and  100  entries  of 
collections.  As  a  result,  critical  reporting  information,  to  include  the  aging  of 
Accounts  Receivable,  urns  not  promptly  available. 

The  tracking  of  Accounts  Receivable  involved  reconciling  cash  collections  to 
billed  receivables.  The  accountants  posted  data  to  100  different  active  FhOS 
sponsor  codes,  tracked  status  changes  from  unbilled  to  foiled  to  collected,  ami 
entered  collection  data  into  FMIS  Gateway.  If  discrepancies  existed, 
reconciliation  normally  took  about  2  weeks  each  month.  MSC  Headquarters  is 
automating  the  tracV^f  process  with  Access,  an  interim  Accounts  Receivable 

Actowtt  Bwovable  will  it  a*oaato% 
matched  to  bffled  AccounU  Receivable.  Date  will  be  entered  only  once  to  keep 
control  of  Accounts  Receivable  figures. 


Volume  4,  January  1995,  requires  allagencies  to  establish  an  aUcwanwwr 
uncollectibles  MSC  had  not  established  an  Allowance  for  Uncollectibjw 
account  although  foe  account  existed  in  the  Navy  chart  of  accounts.  MSC 
personnel  did  not  foe  account  a  requirement  because  foe  Navy 
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Comptroller  Manual,  "Navy  and  Marine  Corps  Industrial  Funds,  Volume  5, 
May  1991,  did  not  mention  it.  According  to  personnel  in  me  Navy 
Comptroller's  Office,  DFAS  was  responsible  for  updating  Volume  5  to  show 
the  requirement.  Because  it  had  not  been  updated,  accounting  personnel  were 
not  aware  of  the  requirement.  In  addition,  MSC  was  not  informed  of  changes 
in  DoD  regulations  because  of  weaknesses  in  the  dissemination  ot  DFAp 
guidance.  For  further  discussion,  see  Appendix  C,  "Other  Matters  of  Interest. 

In  August  and  September  1994,  the  DFAS  Denver  Center  reviewed  MSC 
Accounts  Receivable  over  120  days  old  andd^erminedt^tMSChad 
$1.8  million  of  uncollectible  receivables  before  DBOF  was [established.  DFAS 
Denver  Center  advised  MSC  to  adjust  the  uncollectibles  against  Assets 
Capitalized.  MSC  did  not  accomplish  the  $1.8  million  write-off  dunng  1994 , 
therefore,  the  Accounts  Receivable  footnotes  to  the  USTRANSCOM 
1994  Statement  of  Financial  Position  stated  that  MSC  would  write  on 
$1.8  million  in  FY  1995.  The  $1.8  million  write-off  had  not  been  shown  as 
uncollectible.  MSC  should  use  the  Allowance  for  Loss  cm  Accounts  Receivable 
and  should  determine  the  account  balance  as  required  by  DoD  Regulation 
7000. 14-R.  The  use  erf  historical  data  is  one  method  of  estimating  the  balance 
for  the  Allowance  for  Loss  on  Accounts  Receivable. 


Agencies  should  age  Accounts  Receivable  to  show  amounts  owed  to 

the  Government,  and  should  report  the  information  to  the  Department  of  the 
Treasury.  The  DFAS  Denver  Center  is  responsible  for  reporting  the 
USTRANSCOM  information  to  DFAS  Headquarters,  which  in  turn  reports  to 
the  Department  erf  the  Treasury.  According  to  MSC,  the  DFAS  Denver  Center 
did  not  ask  for  the  MSC  aging  information  needed  to  consolidate  and  report  the 
USTRANSCOM  information.  As  a  result,  the  DFAS  Denver  Center  applied 
aging  percentages  used  by  the  Air  Mobility  Command  to  the  MSC  Accounts 
Receivable  balance.  In  add**VM1J  the  time-consuming  process  of  tracking 
Accounts  Receivable  prevented  MSC  from  providing  actual  values  at  the 
month's  end.  The  aging  data  sent  to  USTRANSCOM  were  estimated  and  could 
not  be  substantiated. 


As  of  September  1994,  the  Accounts  Receivable-Federal  Entities  balance  on  the 
MSC  financial  statement  was  $301.4  million,  with  $4  million  in  Accounts 
Receivable  over  120  days.  As  stated  in  the  regulation,  the  more  delinquent  an 
account,  the  more  likely  that  it  will  not  be  collected.  With  the  Access  system, 
the  aging  of  Accounts  Receivable  can  be  based  on  actual  rather  than  estimated 
data.  MSC  should  develop  procedures  to  age  Accounts  Receivable  promptly 
and  report  the  information  to  DFAS  Denver  Center  in  a  timely  manner. 


FINIS  Calculation  of  Accrued  Cargo  Expenses.  During  FY  1994,  toe 
calculation  of  Accrued  Cargo  Expenses  at  MSC  did  not  fully  comply  with 
accounting  principles,  standards,  and  policies;  maximize  the  use  of  standard 
rfata  processing;  or  make  toe  most  efficient  use  of  data  processing  and 
accounting  methodology.  FINIS  was  unable  to  process  critical  data,  such  as 
measurement  tons  and  rates,  needed  to  calculate  Accrued  Expenses,  rot 
example  more  detailed  rate  information  could  not  be  added  without  rewriting 
the  entire  program.  In  addition,  MSC  personnel  had  to  manually  process 
approximately  5,000  line  items  each  month  to  generate  a  history  report  of 


8 


Finding  A.  Internal  Control  Structure 


transactions.  As  a  result,  the  account  entries  for  Accrued  Expenses,  such  as 
Shipping  Agreements/Contracts  Container,  Breakbulk,  and  Government  BUI  of 
Lading,  could  not  be  substantiated.  Through  CARS,  MSC  made  a  significant 
system  change  that  iIkhiH  improve  the  calculation  of  Accrued  Cargo  Expenses. 

FINIS  and  CABS.  FINIS  was  an  MSC  Pacific  automated  data 
nroceisiac  system  that  ps wfH  ULB  records  at  MSC  Pacific  and  computed 
Sd^Sd^cargo  expeSJe^HNIS  was  not  properly  designed  to  handle  the 
accruals  from  MSC  Padfic.  Without  warning  or  explanation,  FINIS  would 
periodically  shut  down  and  lose  data.  The  largely  manual  process  of  correcting 
FINIS  errors  was  further  slowed  when  the  system  failed. 

CARS  has  replaced  FINIS  in  the  Pacific  Area  Command.  CARS  was  designed 
to  automate  foemanual  processes  not  handled  by  FINIS,  which  are  the  posting 
of  shipments,  bills,  and  expense  data,  and  calculating  and  transnutting  accruals 
and  revenue  lift  ta&mate*  CARS  is  expected  to  increase  the  efficiency, 
timeliness  and  accuracy  of  the  cargo  accrual  process.  However,  management 
must  ensure  that oXscorrects  the  deficiencies  in  FINIS.  Although  CARS  has 
replaced  FINIS,  the  probtems  identified  with  FINIS  affected  our  ability  to 
ertfriidi  a  tnusac&m  trail  from  the  FINIS-generatod  Accrued  Expenses  account 
Kaiamv»  of  $56.6  million,  as  shown  on  the  MSC  FY  1994  Statement  of 
Financial  Position,  to  tee  transactions  supporting  the  account  balances. 


Compliance  with  Accounting  Principles,  Standards,  and  Policies. 
Periodically  and  without  warning,  FINIS  would  shut  down  and  lose  data  on 
cargo  expense  accruals.  MSC  personnel  involved  in  reconciling  cargo  expense 
could  not  exnlMia  why  the  system  shut  down.  When  data  were  lost, 
users  had  to  manually  reconcile  and  input  the  data,  thus  increasing  the  workload 
for  four  employees  at  MSC  Pacific.  In  addition,  FINIS  created  cargo  expense 
ar~»<ai«  for  mileage,  storage  charges,  and  port  charges  by  estimating  those 
charges  baaed  on  pescsateges. 

Another  FINIS  deficiency  affected  accruals  of  cargo  revenue.  Revenue  and 
yrcpf»nc»  (fata  were  using  different  rates.  Cargo  revenue  data  were 

captured  in  foe  ULB  and  foe  Revenue  Lift  systems  when  transportation  data 
were  initially  input  at  foe  rate  effective  on  foe  sailing  date;  however,  when  foe 
cargo  data  were  captured  in  FINIS,  foe  rate  applicable  on  foe  input  date 

was  used.  This  inconsistency  in  rates  occurred  when  foe  previous  years 
transportation  data  were  received  and  input  in  years  other  than  tiw  year  ^ 
sailing.  As  a  result,  and  expenses  could  not  be  matched.  MSC  Panne 

personnel  used  foe  “Commercial  Container  Cost  Comparison  Income  and 
prp»n«»  Report"  to  correct  foe  mismatched  revenues  and  expenses  in  the 
following  month.  Those  deficiencies  prompted  MSC  to  develop  and  implement 
CARS. 


Effective  Use  of  Data  Processing  and  Accounting  Methodology. 
When  FINIS  accrued  cargo  expenses,  MSC  employees  manually  tracked, 
reconciled,  and  reestablished  accruals  affected  by  payments  from  Accounts 
Payable.  Payments  agwut  accruals  were  manually  entered  in  FINIS  and 
in  a  transaction  register.  To  ensure  accurate  payment  information, 
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MSC  employees  manually  corrected  and  updated  the  transaction  register.  When 
the  transaction  register  was  corrected,  FINIS  processed  the  payment  data  against 
the  accruals. 

If  a  payment  was  made  against  an  accrual,  FINIS  generated  the  Accrual  Match 
Report  containing  the  reversal  of  the  accrual,  the  payments  made,  and  die 
reaccrual  of  any  unpaid  amount.  At  MSC  Pacific,  4  employees  manually 
reconciled  approximately  5,000  line  items  per  month  of  shipment,  billing,  and 
payment  data.  MSC  Pacific  personnel  used  source  documents  and  control 
Sheets  to  manually  calculate  and  post  incorrect  or  missing  accruals  generated  by 
FINIS.  FINIS  also  generated  monthly  expense  reports,  which  MSC  Pacific 
personnel  manually  reviewed  and  corrected.  These  manual  processes,  despite 
the  efforts  of  MSC  employees,  ware  susceptible  to  errors  because  large  amounts 
of  data  had  to  be  reviewed  and  processed. 

VIPS  Input  to  Accrued  Expenses.  The  data  produced  by  the  feeder  system, 
VIPS,  did  not  fully  comply  with  accounting  principles,  standards,  and  policies, 
and  the  manipulation  or  the  data  did  not  mirice  the  most  efficient  use  of  data 
processing.  VIPS  user  personnel  at  the  Area  Commands  did  not  validate  the 
data  entered  into  the  system,  and  the  internal  controls  at  MSC  Headquarters  did 
not  recognize  errors  in  all  instances  of  data  entry.  In  addition,  the  accountants 
manual  process  of  accruing  expenses  from  VIPS  operational  and  other  financial 
dat?  was  time-consuming.  As  a  result,  the  data  extracted  from  VIPS  and  used 
to  calculate  Accrued  Expenses  were  not  reliable,  which  affected  the  accuracy  of 
Accrued  Expenses  reported  on  the  MSC  financial  statements.  User  personnel  at 
the  Area  Commands  should  validate  VIPS  data  to  ensure  accuracy. 

VIPS.  Implemented  in  1986,  VIPS  was  designed  to  give  information  on 
the  voyages  of  MSC-sponsored  dry  cargo  ships.  VIPS  provides  tracking  data, 
including  ship  itinerary,  actual  voyages  completed,  and  the  number  of  hours, 
days,  and  minutes  that  a  dry  cargo  ship  was  in  port  or  at  sea  during  a  given 
month.  VIPS  is  a  feeder  system;  its  mission  is  to  provide  data  for  operational 
purposes,  not  for  accounting.  However,  data  produced  by  VIPS  are  used  to 
calculate  monthly  accruals,  such  as  Fuel  Expense,  Charter  Costs,  Port  Charges, 
Tolls,  and  Miscellaneous  Expenses  such  as  Ship  Activation  and  Deactivation. 
Area  Command  personnel  were  not  consistent  in  entering  Military  Sealift 
Command  data  in  VIPS,  and  did  not  validate  their  data  inputs.  As  a  result,  the 
data  extracted  from  VIPS  and  used  to  calculate  Accrued  Expenses  were  not 
reliable. 

Responsibility  for  VIPS  Data.  MSC  Instruction  4610.32D,  "Vessel 
Information  Planning  and  Analysis  System  (VIPS)  Reporting  Instructions, 
September  6,  1990,  assigns  responsibility  to  MSC  Area  Commanders  for  VIPS 
operations,  maintenance,  reporting,  and  training  for  their  geographical  areas. 

VIPS  Users.  The  VIPS  users  at  ports  in  each  Area  Command 
are  responsible  for  tracking  and  reporting  on  dry  cargo  ships  that  are  sailing  in 
their  geographical  areas.  Data  on  scheduled  ship  voyages  are  communicated  by 
message  from  each  ship  to  the  Area  Commands  and  copied  to  MSC 
Headquarters  on  automated  messages.  Messages  and  other  data  on  the  voyages 
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of  dry  cargo  ships  are  used  as  source  data  and  input  into  VIPS  by  the  VIPS 
users.  In  addition,  the  VIPS  users  at  each  Area  Command  are  responsible  for 
validating  VIPS  data  and  correcting  errors. 

VIPS  Administrators.  The  VIPS  Administrator  at  MSC 
Headquarters  maintains  the  overall  operations  of  VIPS,  makes  changes  and 
improvements  to  VIPS  applications,  resolves  data  entry  problems,  and  assustsm 
VIPS  user  training.  The  VIPS  Administrator  reviews  a  daily  VffS 
Arrival/Departure  and  Fuel  Report"  (Arrival  and  Departure  Report)  that  details 
approximately  11,440  transactions  of  voyage  data  on  previously  used  and 
currently  operated  dry  cargo  ships.  The  VIPS  Administrator  reviews  the 
Arrival  and  Departure  Report  to  identify  data  errors  or  the  need  for  updates. 
Frequently,  the  VIPS  Administrator  requests  updates  on  ship  voyages  from  the 
VIPS  users  at  the  Area  Commands. 


At  the  month's  end,  the  VIPS  Administrator  reviews  the  "VIPS  Port  Time 
Report"  (Port  Time  Report)  that  summarizes  voyages  of  individual  ships  by 
days,  hours,  and  minutes  the  ship  was  at  sea  or  in  port.  The  Port  Time  Report 
is  used  as  source  data  to  prepare  a  monthly  "Port/Sea  Time  and  Fuel 
Consumption  Report"  (Port  and  Sea  Time  Report).  The  VIPS [Administrator 
prepares  the  Port  and  Sea  Time  Report  and  submits  it  to  the  MSC  Headquarters 
Accounting  Division.  The  Port  and  Sea  Time  Report  provides  the  source  data 
used  by  MSC  accountants  in  preparing  Accrued  Expense  entries  for  dry  cargo 
ships. 


Compliance  with  Accounting  Principles,  Standards,  and  Policies. 
The  VIPS  data  used  to  accrue  expenses  could  not  be  relied  on  few  accuracy 
because  the  VIPS  users  at  MSC  Area  Commands  did  not  validate  the  data  or 
always  update  VIPS  as  required.  In  addition,  the  internal  controls  at  MSC 
Headquarters  did  not  provide  for  recognition  of  all  errors  in  data  entry.  Users 
at  the  Area  Commands  made  data  entry  errors  and  failed  to  update  VIPS. 
Internal  controls  at  MSC  Headquarters  provided  for  detection  only  of  obvious 
instances  of  noncompliance,  such  as  a  lack  of  port  or  sea  days  for  a  ship 
voyage.  DoD  Regulation  7000. 14-R  requires  that  accurate  financial  data  be 
furnished  to  management.  For  example,  the  MSC  Comptroller  regularly  briefs 
the  Commander,  MSC,  about  the  financial  status  of  MSC.  In  addition,  budget 
execution  requires  tracking  of  budgeted  expenses  to  actual  expenses  on  a  line- 
item  basis  Accrued  Expenses  and  actual  cash  payments  compose  the  expenses 
reported  on  the  MSC  monthly  profit  and  loss  statement.  Accrued  Expenses  are 
used  to  determine  monthly  balances  for  the  accrued  liability  account,  the 
expense  account,  and  the  net  operating  results.  Therefore,  the  consequences  of 
inaccurate  Accrued  Expenses  extend  beyond  the  financial  statements  and  could 
influence  financial,  operational,  and  budget  decisions. 


VIPS  Reports.  Our  judgmental  sample  of  fuel  accrual 
transactions  for  February  and  July  1994  indicated  that  in  three  out  erf  fore 
transactions,  the  incorrect  dollar  amount  was  accrued.  In  one  instance,  the 
Arrival  and  Departure  Report  indicated  that  a  ship  was  in  port  for  23  or  24  days 
during  a  given  month.  However,  when  the  data,  base  was  summarized  in  the 
Port  Time  Report,  no  port  days  were  reported.  Lack  of  reported  port  rays 
understates  the  accrual  for  Port  Charges  and  overstates  the  accrual  for  Fuel 
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Charges.  In  addition,  in  a  Fort  and  Sea  Time  Report  used  by  MSC  accountants, 
the  number  of  days  that  the  ship  was  in  port  or  at  sea  was  blank.  In  each  of  the 
sampled  transactions,  the  original  number  of  port  days  could  not  be  determined 
from  the  Arrival  and  Departure  Report.  In  another  sample,  the  ship  was  listed 
as  being  at  sea  between  15  and  21  days  during  the  month.  Fuel  was  eventually 
accrued  fen:  26  days  at  sea. 

Updates  to  VIPS.  VIPS  users  at  MSC  Area  Commands  did  not 
update  VIPS.  As  a  result,  VIPS  data  needed  at  month’s  end  to  prepare  the  Port 
and  Sea  Time  Report  were  incomplete.  Although  MSC  Instruction  4610.32D 
requires  MSC  Area  Commanders  to  report  VIPS  information  daily,  the  actual 
data  input  were  inconsistent.  These  inconsistencies  were  attributed  to  other 
Area  Command  priorities,  the  nonavailability  and  inability  of  the  VIPS  users  at 
the  Area  Commands  to  perform  this  function,  and  the  lack  of  training  on  VIPS. 
Automated  messages  and  other  source  data  were  used  by  the  VIPS 
Administrator  to  determine  whether  ship  voyage  data  in  VIPS  were  current  and 
accurate.  The  number  of  automated  messages  available  for  daily  review  ranged 
from  fewer  than  five  messages  to  several  hundred.  This  volume  prevented  the 
VIPS  Administrator  from  reviewing  100  percent  of  automated  messages  on  dry 
cargo  ships.  In  addition,  edit  checks  or  reconciliations  were  not  possible 
because  of  strict  reporting  deadlines  at  the  month's  end.  The  VIPS 
Administrator  was  required  to  give  a  Port  and  Sea  Time  Report  to  the  MSC 
Accounting  Division  by  the  6th  working  day  following  the  month's  end.  To 
compensate  for  incomplete  VIPS  data,  personal  judgment  was  used  to  interpret 
the  monthly  Port  Time  Report,  and  estimates  were  made.  The  ship  s  actual 
movements  should  be  checked  and  reconciled  with  data  from  ship  schedules, 
automated  messages,  and  other  reports  to  ensure  that  the  VIPS  data  are 
accurate. 

Efficient  Use  of  Data  Processing  and  Accounting  Methodology. 
Accountants  must  use  the  monthly  Port  and  Sea  Time  Report,  a  report  of  VIPS 
summary  data  and  estimated  fuel  use,  to  update  the  accrual  data  and  calculate 
the  total  costs  few  the  month  by  individual  ships.  Actual  payment  history  is  used 
to  calculate  averages  used  for  accruals.  For  example,  each  day  a  ship  is  in  port 
may  cost  $1,000.  The  Port  and  Sea  Time  Repent  shows  the  number  of  days  the 
ship  is  in  port.  An  MSC  database  system  calculates  port  charges  based  on  port 
days  entered  and  enters  the  accrual  data  into  FMIS  Gateway.  As  noted  in  the 
General  Ledger,  the  reversals  are  automatic;  however,  reestablishing  the  accrual 
for  the  subsequent  period  is  manual  and  tedious. 

VIPS  does  not  automatically  interface  with  FMIS  Gateway  or  the  General 
Ledger.  The  port  time  data  are  manually  transferred  from  the  Port  aral  Sea 
Time  Report  into  spreadsheets  before  entry  into  the  General  Ledger.  At  MSC, 
6  or  7  employees  must  enter  VIPS  data  from  20  to  30  ships  per  month  or  60  to 
90  transactions.  MSC  personnel  eater  the  data  over  a  2-week  period  each 
month.  Because  MSC  does  not  have  an  integrated  system,  data  must  be  entered 
manually,  which  could  reduce  data  reliability  and  the  accuracy  of  accruals.  For 
example,  VIPS  data  are  often  updated  after  the  Port  and  Sea  Time  Report  is 
prepared;  however,  the  Port  and  Sea  Time  Report  sent  to  the  Accounting 
Division  is  not  updated.  Therefore,  accrual  entries  based  on  inaccurate  VIPS 
data  are  not  corrected  by  MSC  accountants.  To  improve  the  accuracy  of 
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Accrued  Expense*  calculated  from  VIPS  data,  MSC  must  require  validation,  of 
VIPS  data.  Operations  personnel  at  the  Area  Commands  should  follow  existing 
validation  procedures  to  ensure  the  accuracy  of  VIPS  data. 

Accrual  Process  for  Expenses.  The  MSC  Headquarters  method  of  generating 
and  tracking  Accrued  Expenses  did  not  meet  DoD  requirements.  The  method 
did  not  fully  comply  with  accounting  principles,  standards,  and  policies;  the 
Hsta  processing  systems  used  to  generate  Accrued  Expenses  differed  among 
components  of  MSC;  and  the  data  processing  and  accounting  methodologies 
were  inefficient.  The  expense  tracking  system  now  under  development  should 
improve  the  process.  According  to  MSC,  the  system  will  automate  the 
matching  of  disbursements  and  the  generation  of  accrued  liabilities,  improve 
internal  controls,  and  comply  with  regulations. 

Compliance  with  Accounting  Principles,  Standards,  and  Policies. 
The  accounting  methodology  used  to  generate  Accrued  Expenses  did  not  meet 
the  standards  for  accrual  accounting.  Accruals  should  be  based  on  the  actual 
receipt  of  goods  and  services.  Instead,  MSC  estimated  the  accrual  expense 
based  on  obligation  or  estimated  receipt  of  goods  and  services.  In  Naval  Audit 
Service  Report  No.  Q53-H-94,  "FY  1993  Consolidating  Financial  Statements  of 
the  Department  of  the  Navy  Defense  Business  Operations  Fund, 
June  29,  1994,  the  Ngval  Audit  Service  recognized  that  the  account  balances  for 
accruals  were  unsupported  because  of  errors,  financial  system  deficiencies,  and 
noncompliaiKe  witnDoD  and  Navy  regulations.  To  correct  the  problem,  the 
Naval  Audit  Service  recommended  that  the  Assistant  Secretary  of  the  Navy 
(Financial  Management  and  Comptroller)  direct  Navy  DBOF  activities  to 
artaKiiA  a  m«n,  of  tucking  expeases.  Such  a  practice  should  generate  more 
reliable  data  and  accrue  liabilities  that  can  be  substantiated  with  expense  details. 
MSC  plant  to  implement  an  expense  tracking  system;  however,  the 
implementation  date  is  uncertain. 

The  Budgf*  Office  and  the  Accounting  Division  could  not  support  expense  and 
liability  accruals  in  the  Ship  Activation  and  Deactivation  General  Ledger 
Account  because  an  expense  tracking  system  did  not  exist.  To  determine  when 
a  ship  was  activated  or  deactivated,  the  Budget  Office  provided  accrual  amounts 
verbally  to  the  Accounting  Division  based  on  estimates  from  the  shipper. 
Neither  the  Budget  Office  nor  the  Accounting  Division  could  produce 
documentation  based  on  actual  receipt  of  services  to  support  the  accruals. 
Bream*  of  the  lack  of  documentation,  the  transaction  trail  needed  to  substantiate 
the  account  did  not  exist.  To  improve  the  reliability  of  the  Accrued 

Expenses  data  from  the  MSC  Budget  Office,  MSC  must  establish  procedures 
that  will  require  substantiation  of  the  Budget  Office's  information  on  costs. 

of  Data  Processing*  MSC  did  not  use  a  standardized 
method  for  processing  accruals  erf  expenses.  Accruals  were  processed 
differently  at  MSC  Pacific  and  MSC  Headquarters.  Accrued  cargo  expenses 
were  automatically  generated  at  MSC  Pacific;  when  correct,  those  expenses 
were  automatically  entered  into  the  General  Ledger  through  the  interface 
between  the  General  Ledger  and  FINIS.  However,  at  MSC  Headquarters,  data 
extracted  from  VIPS,  the  feeder  system,  were  manually  entered  into  a  database, 
used  to  calculate  accrued  expenses,  transferred  automatically,  and  processed  by 
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FMIS  Gateway.  A  standardized  process  would  reduce  the  effort  needed, 
increase  timeliness  and  reliability,  and  improve  accountability  and  data 
integrity. 

Data  Processing  and  Accounting  Methodology.  DoD  Regulation 
7000. 14-R  states  that  the  accounting  system  should  make  the  most  efficient  use 
of  data  processing  and  accounting  methodology.  MSC  Headquarters  established 
manual  requirements  for  the  monthly  accruals  and  adjustments  of  Accrued 
Expenses. 

Review  Process.  After  the  close  of  each  accounting  period,  all 
accrual  entries  are  automatically  reversed.  As  a  result,  accountants  must  review 
each  accrual  to  determine  its  current  status.  For  instance,  an  accountant  reviews 
the  disbursement  listings,  which  show  that  an  Accrued  Expense  was  paid,  to 
determine  whether  the  payment  was  partial  or  in  full.  If  the  payment  was 
partial,  the  remaining  accrual  amount  must  be  reentered  in  the  system.  If  the 
payment  was  in  full,  no  adjustments  are  necessary.  However,  if  no 
disbursement  activity  was  found,  the  reversed  accrual  must  be  reentered  into 
FMIS  Gateway. 

The  accrual  review  process  is  the  largest  function  of  the  Accounting  Division  at 
MSC  Headquarters,  and  requires  approximately  2  weeks  each  month. 
Approximately  6  out  of  13  personnel  are  involved  in  this  process.  Accounting 
personnel  processed  3,667  accrual  transactions  during  February  and  July  1994. 

If  the  2  months  are  typical,  22,000  transactions  would  be  reviewed  annually. 

Conclusion.  At  MSC,  the  accounting  and  related  systems  did  not  fully  comply 
with  the  requirements  of  DoD  Regulation  7000. 14-R.  The  systems  did  not  fully 
comply  with  accounting  principles,  standards,  and  policies;  use  toe  DoD 
Standard  General  Ledger  chart  of  accounts;  maximize  the  use  of  standard  data 
processing;  make  the  most  efficient  use  of  data  processing  aid  accounting 
methodology;  or  produce  auditable  financial  statements.  As  a  result,  auditors 
could  not  establish  a  transaction  trail  from  account  balances  to  underlying 
transactions  supporting  the  MSC  Statement  of  Financial  Position  for  FY  1994. 

To  accomplish  the  internal  control  objectives  in  DoD  Regulation  7000. 14-R, 
MSC  should  adapt  toe  DoD  Standard  General  Ledger  chart  of  accounts, 
establish  an  allowance  for  uncollectibles,  substantiate  the  aging  of  Accounts 
Receivable,  and  ensure  that  CARS  corrects  the  deficiencies  in  accruing  cargo 
expenses.  Also,  VIPS  personnel  should  validate  data  extracted  from  VIPS. 
Accounting  personnel  should  develop  procedures  to  substantiate  the  accrual 
information  transferred  between  the  Budget  Office  and  the  Accounting  Division. 
MSC  expects  that  CARS  and  the  Accounts  Receivable  system,  Access,  will  { 
improve  internal  controls. 
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The  Control  Environment 


At  MSC,  the  control  environment  made  existing  policies  and  procedures  less 
effective;  management  had  not  properly  trained  VIPS  personnel.  The  result 
could  be  inny?^  risk  of  a  material  misstatement  of  the  account  balances  for 
Accrued  Expenses. 

Formal  training  courses  for  VIPS  users  do  not  exist.  Neither  the  VIPS 
Administrator  at  MSC  Headquarters  nor  the  VIPS  users  at  MSC  Area 
Commands  have  been  formally  trained  on  the  functions  of  VIPS.  The  VIPS 
Administrator  and  the  Assistant  Administrator  received  on-the-job  training  from 
the  developer  of  the  VIPS  system;  however,  the  training  did  not  give  the 
individuals  a  complete  understanding  erf  the  functions  of  the  VIPS  data  base. 
The  VIPS  users  at  MSC  Area  Commands  received  on-the-job  training  from 
predecessors.  Such  training  was  not  adequate;  VIPS  users  made  errors,  and  the 
VIPS  Administrator  frequently  requested  updates  to  VIPS  data.  Ouranalysii  of 
the  daily  VIPS  arrival  and  departure  data  for  February  and  July  1994  showed 
that  166  out  of  436  transactions,  or  38.1  percent,  contained  incomplete  voyage 
data  These  instances  of  incomplete  data  were  included  in  the  month-end  Port 
Time  Report.  The  Port  Time  Report  is  used  to  develop  the  Port  and  Sea  Tune 
Report,  which  is  transmitted  to  the  MSC  Accounting  Division  for  expense 
accrual  purposes. 

VIPS  data  are  used  in  conjunction  with  other  financial  data  to  determine 
expense  accruals  for  dry  cargo  ships.  The  timing  and  accuracy  of  data  entry  arc 
critical  to  the  accrual  process.  Because  of  the  inadequacy  of  VIPS  data,  VIPS 
Administrators  could  not  distinguish  between  actual  and  planned  voyages.  For 
planned  voyages,  departure  and  arrival  times  arc  not  entered  in  VIPS.  If 
departure  and  arrival  times  arc  not  shown  for  an  actual  voyage  and  the 
administrator  knows  that  the  ship  sailed,  the  administrator  uses  personal 
judgment  to  determine  the  number  of  days  a  ship  was  in  port  or  at  sea.  The 
accuracy  of  the  number  of  days  at  sea  or  in  port  is  directly  related  to  Accrued 
Expenses  for  dry  cargo  ships.  Such  arbitrary  calculation  of  VIPS  data  directly 
affects  the  accrual  amounts  for  Fuel  Expense,  Port  Charges,  and  Miscellaneous 
Expenses  such  as  Ship  Activation  and  Deactivation.  Formal  training  courses 
should  be  developed  and  provided  to  the  VIPS  Administrator  at  MSC 
Headquarters  and  VIPS  users  at  MSC  Area  Commands. 


Control  Procedures 


MSC  did  not  have  effective  control  procedures  to  assure  management  that 
material  errors  were  detected  promptly.  Accounting  personnel  did  not 
document  their  standard  operating  procedures  and  accounting  transactions.  As  a 
result,  management  could  not  establish  a  transaction  trail  from  account  balances 
to  underlying  transactions  supporting  the  MSC  Statement  of  Financial  Position 
for  FY  1994.  MSC  should  establish  standard  operating  procedures  for  Accounts 
Receivable  and  Accrued  Expenses. 
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Control  procedures  or  techniques  are  policies  and  procedures,  in  addition  to  the 
control  environment  and  financial  management  system,  that  have  been 
established  to  provide  reasonable  assurance  that  specific  internal  control 
objectives  will  be  achieved.  Standard  operating  procedures  and  accounting 
transactions  should  be  documented  to  ensure  that  material  errors  are  detected 
promptly. 

Documentation  of  Standard  Operating  Procedures.  At  MSC 
Headquarters,  standard  operating  procedures  for  Accounts  Receivable  and 
Accrued  Expenses  were  nonexistent.  For  example,  the  MSC  Headquarters 
Accounting  Division  had  no  written  standard  operating  procedures,  only  a  job 
description  for  the  Accounts  Receivable  functions  of  tracking,  analyzing,  and 
reconciling.  When  an  accountant  retired  unexpectedly,  MSC  had  to  reconstruct 
much  of  the  Accounts  Receivable  process. 

Similarly,  MSC  had  no  standard  operating  procedures  for  developing  the 
VIPS-based  Accrued  Expenses.  Personnel  used  the  VIPS  data  to  extract  ship 
data  Standard  operating  procedures  are  needed  for  processing  VIPS  data  at  the 
Area  Commands  and  MSC  Headquarters.  Accounting  personnel  discussed  the 
extracted  data  with  the  Budget  Office  to  obtain  cost  figures.  Variances  between 
information  from  VIPS  and  the  Budget  Office  are  sometimes  verified  to  assure 
consistency  in  reporting  and  analysis. 

The  lack  of  standard  operating  procedures  may  affect  the  completeness, 
valuation,  and  presentation  of  Accounts  Receivable  and  Accrued  Expenses  on 
the  Statement  of  Financial  Position.  Standard  operating  procedures  must  be 
established,  documented,  and  distributed. 

Documentation  of  Accounting  Transactions.  Documentation  of 
transactions  or  other  significant  events  should  be  complete  and  accurate,  and 
should  facilitate  tracing  the  transactions  or  events  from  initiation  until  the 
process  is  completed.  The  documentation  should  be  useful  to  managers  in 
controlling  their  operations,  and  to  auditors  or  others  involved  in  analyzing 
operations. 

As  discussed  in  "Accrual  Process  for  Expenses,"  the  Budget  Office  and  the 
Accounting  Division  could  not  support  actual  expense  and  liability  accruals  m 
the  Ship  Activation  and  Deactivation  General  Ledger  Account  because  an 
expense  tracking  system  did  not  exist.  The  Budget  Office  told  the  accountants 
the  accrual  amounts  based  on  estimates  from  the  shipper.  Neither  the  Budget 
Office  nor  the  Accounting  Division  could  produce  documentation  based  on 
actual  receipt  of  services  to  support  the  accruals.  This  lack  of  documentation 
prevented  the  substantiation  of  financial  data. 

Conclusion.  Control  procedures,  which  are  necessary  to  ensure  that 
management  objectives  are  achieved  and  material  misstatements  in  the  financial 
statements  are  detected,  were  ineffective.  MSC  Headquarters  did  not  have 
standard  operating  procedures  and  desk  procedures  for  Accounts 
Receivable  and  Accrued  Expenses.  Standard  operating  procedures  are  needed 
for  application  of  accounting  standards  and  operations.  All 

accounting  transactions  should  be  properly  documented  and  substantiated. 
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Summary 


The  internal  control  structure  at  MSC  did  not  provide  reasonable  assurance  of 
achieving  the  internal  control  objectives.  To  accomplish  the  internal  control 
objectives  in  DoD  Regulation  7000. 14-R,  the  accounting  and  related  systems 
within  MSC  must: 

o  comply  with  accounting  principles,  standards,  and  policies; 

o  use  the  DoD  Standard  General  Ledger  chart  of  accounts; 

o  maximize  the  use  of  standard  data  processing; 

o  make  the  most  efficient  use  of  data  processing  and  accounting 
methodology;  and 

o  produce  auditable  financial  statements. 

The  Under  Secretary  of  Defense  (Comptroller)  is  aware  of  the  weaknesses 
found  at  MSC  and  in  the  overall  DBOF  community.  In  the  May  4,  1995, 
"Management  Representation  Letter  for  the  Defense  Business  Operations 
Fund  Financial  Statements  for  FY  1994,"  sent  to  the  Assistant  Inspector  General 
for  Auditing,  DoD,  die  Under  Secretary  of  Defense  (Comptroller)  reiterated 
many  of  the  problems  identified  during  this  audit.  Throughout  the  DBOF 
community,  systemic  and  procedural  deficiencies  exist  in  DoD  accounting  and 
financial  management  systems.  The  DoD  Comptroller  also  noted  problems  with 
internal  controls  and  compliance.  USTRANSCOM  is  also  aware  of  the 
weaknesses  in  its  components'  accounting  systems.  In  the  January  27,  1995, 
"Management  Representation  Letter  for  the  Defense  Business  Operations  Fund  - 
Transportation  FY  1994  Financial  Statements,"  sent  to  the  Assistant  Inspector 
General  for  Auditing,  DoD,  the  USTRANSCOM  Director  of  Program  Analysis 
and  Financial  Management  noted  the  lack  of  integrated  systems  and  lack  of 
compliance  with  the  DoD  Standard  General  Ledger  chart  of  accounts.  The 
Naval  Audit  Service  hfcnrififld  similar  weaknesses  in  the  FMIS  accounting 
system  in  its  audit  of  the  MSC  FY  1993  financial  statements.  FMIS  lacked 
subsidiary  ledgers  and  audit  trails  and  did  not  use  the  DoD  standard  general 
ledger,  and  its  systems  were  not  integrated. 

Since  FMIS  is  one  of  two  systems  nominated  by  the  DBOF  Corporate  Board  for 
as  the  interim  migratory  system  for  the  Transportation  Business 
Area,  we  are  not  making  a  recommendation  on  accounting  systems.  However, 
financial  data  will  not  Tie  reliable  until  a  standardized  accounting  system  is 
identified  and  for  the  USTRANSCOM  components. 

MSC  has  taken  steps  to  improve  the  Accounts  Receivable  tracking  and  expense 
accrual  process.  CARS,  Access,  and  the  expense  tracking  system  are  in  varying 
<>f  completion.  After  implementation,  MSC  expects  improvement  m 
internal  controls. 
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Management  must  emphasize  both  environmental  and  procedural  controls.  This 
emphasis  must  include  training  of  personnel  and  developing  written  standard 
operating  procedures.  Otherwise,  the  weaknesses  in  the  internal  control 
structure  may  continue  to  hinder  management's  ability  to  rely  on  the  financial 
statements,  and  auditors  will  be  unable  to  verify  the  accuracy  of  the  statements. 


Recommendations,  Management  Comments, 
and  Audit  Response 


A.  We  recommend  that  the  Commander,  Military  Sealift  Command: 

1.  Transition  toward  using  the  DoD  Standard  General  Ledger  chart 
erf  accounts  and  improve  the  accuracy  of  crosswalks  being  used  for 
reporting  in  the  interim. 

Management  Comments.  MSC  partially  concurred.  MSC  agreed  that  the  use 
of  the  DoD  Standard  General  Ledger  chart  of  accounts  is  appropriate  and  has 
developed  a  crosswalk  for  reporting  to  the  DFAS  Denver  Center.  However, 
MSC  stated  that  significant  resources  are  required  to  make  the  change  to  the 
MSC  accounting  system.  MSC  suggested  that  this  requirement  be  placed  in 
abeyance  until  a  decision  is  made  to  select  the  migratory  system  for 
transportation. 

Audit  Response.  Management  comments  were  not  fully  responsive.  We  agree 
that  waiting  until  a  migratory  system  has  been  selected,  before  expending 
resources  to  bring  the  MSC  accounting  system  into  compliance,  may  be  more 
cost  effective.  However,  we  are  concerned  about  the  accuracy  of  the  crosswalk 
used  for  reporting  to  the  DFAS  Denver  Center.  As  the 
USTRANSCOM  Director  of  Program  Analysis  and  Financial  Management 
noted  in  the  management  representation  letter,  dated  January  27,  1995,  "Since 
the  crosswalks  do  not  always  have  a  one-for-one  relationship  to  the  SGL, 
transactions  are  not  always  properly  recorded  and  accounted  for  to  permit  the 

preparation  of  reliable  financial  statements - "  Improvements  to  the 

crosswalk  are  needed  to  minimize  the  potential  for  accounting  errors.  MSC 
should  work  with  the  DFAS  Denver  Center  to  alleviate  the  problems  with  toe 
crosswalk  by  the  lack  of  a  one-for-one  relationship.  These  interim 

corrections  should  improve  toe  reliability  of  toe  financial  statements.  We 
request  that  MSC  provide  additional  comments  on  our  recommendation,  which 
has  been  modified  to  clarify  our  intent  and  to  accomodate  MSC  comments. 

2.  Use  the  Allowance  for  Loss  on  Accounts  Receivable  account  from 
the  DoD  chart  of  accounts  and  establish  the  criteria  for  determining  the 
allowance  for  FY  1995,  -as  stated  in  DoD  Regulation  7000.14-R,  "DoD 
Financial  Management,”  Volume  1,  May  1993. 

Comments.  MSC  concurred  and  stated  that  the  action  will  be 
completed  before  the  end  of  FY  1995. 
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3.  Stop  <»rtiinntin£  the  aging  data  for  Accounts  Receivable  and 
establish  procedures  that  use  actual  data  in  the  aging  of  Accounts 
Receivable  as  required  by  DoD  Regulation  7000.14-R,  "DoD  Financial 
Management,"  Volume  1,  May  1993. 

Management  Comments.  MSC  concurred  and  stated  that  the  action  is 
complete.  The  new  system,  Access,  can  provide  actual  Accounts  Receivable 
data. 


4.  Implement  procedures  to  analyze  and  document  whether  the  new 
Cargo  Accrual  System  effectively  corrects  the  deficiencies  in  the  Financial 
Information  System. 

Management  Comments.  MSC  concurred  and  stated  that  under  the  new  Cargo 
Accrual  System,  revenue  and  expense  workloads  must  be  matched  and  any 
unbilled  revenues  and  unpaid  expenses  will  be  automatically  calculated.  In 
addition,  any  system  problems  will  be  promptly  identified  and  corrected. 
Management  considers  the  corrective  action  complete. 

5.  Fellow  procedures  to  validate  the  Vessel  Information  Planning 
ami  Analysis  System's  dry  cargo  data  used  to  establish  Accrued  Expenses, 
as  stated  in  Military  Sealift  Command  Instruction  461Q.32D,  "Vessel 
Information  Planning  and  Analysis  System  (VIPS)  Reporting  Instructions," 
September  6, 1990. 

Management  Comments.  MSC  concurred  and  stated  that  the  VIPS 
replacement  prototype  will  provide  accrued  expenses  in  accordance  with  MSC 
Instruction  461Q.32D.  The  action  is  expected  to  be  complete  in 
December  1993. 

Audit  Response.  Management  comments  were  responsive,  but  additional 
clarification  is  needed.  We  commend  MSC  for  identifying  problems  with  the 
current  VIPS  and  developing  a  VIPS  replacement.  However,  we  are  not  certain 
whether  MSC  is  developing  a  new  prototype  system  or  upgrading  the  current 
system.  In  addition,  VIPS  u  an  operational  system  that  supplies  the  data  needed 
jjy  accountancy  to  calculate  accrued  expenses.  The  MSC  Instruction  4610.32b 
does  not  require  validation  of  accrued  expenses,  but  rather  validation  of  the  data 
entered  in  VIPS.  MSC  should  clarify  how  the  data  will  be  validated  in 
with  MSC  Instruction  4610.32D.  We  request  that  MSC  provide 
a^itirmai  comments  on  this  prototype  system  that  is  expected  to  be  operational 
by  December  1995,  and  its  capacity  for  validating  data. 

6.  Establish  standard  operating  procedures  for  substantiating  the 
cost  figures  used  to  accrue  dry  cargo  expenses. 

MuugflMBt  CobubcqU*  MSC  concurred  and  stated  that  the  VIPS 
replacement  system  will  provide  accrued  expenses  in  accordance  with  MSC 
Instruction  4610.32D.  Action  is  expected  to  be  complete  in  December  1995. 

Audit  Respond.  Management  comments  were  not  fully  responsive.  MSC  did 
not  specify  how  the  new  system  will  substantiate  the  cost  figures  used  to  accrue 
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dry  cargo  expenses.  The  recommendation  applied  to  the  cost  figures  obtained 
from  the  Budget  Office  as  well  as  the  data  extracted  from  VIPS.  Neither  the 
cost  figures  obtained  from  the  Budget  Office  nor  the  data  extracted  from  VIPS 
were  always  substantiated.  Standard  operating  procedures  are  needed  to  ensure 
that  the  data  are  substantiated.  We  request  that  MSC  provide  additional 
comments  on  how  this  recommendation  will  be  implemented. 


7.  Determine  the  training  needs  of  personnel  who  work  with  the 
Vessel  Information  Planning  and  Analysis  System  and  provide  training  on 
the  system  and  the  related  regulations. 

Management  Comments.  MSC  concurred  and  stated  that  a  tutorial  will  be 
developed  for  the  VIPS  prototype  system.  The  action  is  expected  to  be 
complete  in  December  1995. 

Audit  Response.  Management  comments  were  not  fully  responsive.  In  order 
to  be  more  specific  about  actions  necessary,  we  modified  the  recommendation  to 
clarify  that  MSC  should  determine  the  training  needs  of  personnel  who  work 
with  VIPS  and  provide  training  to  them  on  the  system  and  the  relate 
regulations.  MSC  did  not  state  that  it  would  determine  the  training  needs  of  the 
personnel  working  with  VIPS,  nor  did  MSC  state  that  it  would  train  personnel 
on  the  related  regulations.  Current  VIPS  users  may  possess  the  user's  manual 
and  several  technical  guides.  However,  these  aids  are  not  sufficient  as  training 
tools  We  believe  that  formal  as  well  as  on-the-job  training  is  required.  Once 
the  training  needs  have  been  identified,  whether  on  the  current  or  new  system, 
the  training  curriculum  needs  to  be  developed  and  executed.  We  request  that 
MSC  provide  additional  comments  on  the  training  of  personnel  who  use  VIPS. 


8.  Develop  departmental  standard  operating  procedures  and  desk 
procedures  for  each  section  of  the  Accounting  Division  and  the  Vessel 
Information  Planning  and  Analysis  System's  operations,  and  verify  that  the 
procedures  are  accurate,  updated,  and  readily  accessible. 

Management  Comments.  MSC  concurred.  MSC  stated  that  procedures  will 
be  developed  in  conjunction  with  changes  in  VIPS  and  accounting  procedures. 
Reengineering  and  automation  efforts  will  impact  these  procedures.  The  target 
completion  date  is  the  end  of  FY  1996. 


Audit  Response.  Management  comments  were  not  fully  responsive.  We  agree 
that  standard  operating  procedures  for  the  Accrued  Expenses  generated  by  the 
VIPS  replacement  prototype  should  be  held  in  abeyance  until  the  system  is  on 
line.  However,  standard  operating  procedures  for  each  section  of  the 
Accounting  Division  should  be  developed  in  a  more  timely  manner.  Standard 
operating  procedures  for  the  new  system,  Access,  should  be  developed  before 
the  end  of  FY  1996.  We  request  that  MSC  reconsider  its  comments  on  the 
standard  operating  procedures  for  the  Accounting  Division  and  the  completion 
date.  We  also  request  that  MSC  provide  an  explanation  of  the  time  frame 
required  to  implement  this  recommendation. 
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Management  Comments  Required 

The  Commander,  Military  Sealift  Command  is  requested  to  comment  on  the  items 
indicated  with  an  X  in  Table  1. 


Table  1.  Management  Comments  Required  on  Finding  A. 


Recommendation 

Concur/ 

Proposed 

Completion 

Related 

Number 

Action 

Date 

Isaue8 

1. 

X 

X 

X 

5. 

X 

X 

X 

6. 

X 

X 

X 

IC 

7. 

X 

X 

X 

IC* 

8. 

X 

X 

X 

IC* 

+IC  -  lateral!  Control* 


Finding  B.  Military  Sealift  Command 
Computer  Security 

General  controls  associated  with  access  and  accountability  over  the  ULB 
application  programs  and  data  were  not  effective.  This  made  application 
programs  and  data  vulnerable  to  unauthorized  access  and  alteration. 
These  conditions  occurred  because  computer  security  personnel  did  not 
follow  policies  and  procedures  that  required  proper  management  of 
access  to  the  application  programs  for  the  ULB  and  accountability  for 
user  identification  codes  (user  IDs).  In  addition,  security  personnel  were 
not  properly  trained  and  supervised  in  their  responsibilities.  As  a  result, 
at  least  31  users  could  alter  ULB  data  without  detection,  and  at  least 
7  user  IDs  of  unauthorized  personnel  were  still  in  use. 


Computer  Security  Responsibilities 


The  ULB  is  the  automated  manifest-based  cargo  system  used  by  MSC  to  process 
cargo  manifests  for  customer  billings.  The  ULB  generates  the  Revenue  and 
Accounts  Receivable  account  balances.  The  ULB  operates  on  a  mainframe 
computer  owned  by  the  Defense  Information  Processing  Center  in  Washington, 
D.C. 

General  controls  are  policies  and  procedures  for  an  organization's  overall 
computer  operation.  General  controls  are  classified  as  organization  and 
segregation  of  duties;  systems  design,  development,  and  modification;  and 
security.  Within  the  broad  scope  of  general  controls,  we  reviewed  computer 
security  related  to  user  access  to  the  ULB.  The  Defense  Information  Processing 
Center  is  responsible  for  the  physical  security  of  the  MSC  computer  and  work 
area.  MSC  personnel  are  responsible  for  access  and  accountability  of  users  of 
the  MSC  programs  and  data. 

OPNAV  [Naval  Operations]  Instruction  5239. 1A,  "Department  of  the  Navy 
Automatic  Data  Processing  Security  Program,"  April  1,  1985,  and  COMSC 
[Commander,  Military  Sealift  Command]  Instruction  5510.8D,  "COMSC 
Security  Manual,"  May  26,  1992,  assign  the  responsibility  for  ensuring 
adequate  automatic  data  processing  (ADP)  security  to  the  activity’s  commanding 
officer  and  the  ADP  security  staff.  The  instructions  also  define  die 
responsibilities  of  the  ADP  security  officer  and  the  ADP  systems  security 
officer  (ADPSSO). 

The  ADP  security  officer,  as  the  senior  member  of  the  ADP  security  staff, 
should  ensure  that  an  ADPSSO  is  appointed  for  each  automated  information 
system,  project,  or  application.  The  ADP  security  officer  should  advise  and 
assist,  direct  the  ADPSSO  in  carrying  out  ADP  security  responsibilities,  and 
review  the  {dans  and  procedures  of  the  ADPSSO  for  completeness  and 
adherence  to  policy. 
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Responsibilities  of  the  ADPSSO  include  performing  system  risk  assessments  and 
monitoring  system  activity.  The  ADPSSO  should  identify  the  levels  of  access 
and  type  of  data  handled  by  each  automated  information  system,  and  should 
assign  passwords.  In  addition,  the  ADPSSO  should  review  audit  trails  and 
outputs  to  ensure  compliance  with  security  directives  and  procedures,  and 
should  maintain  a  current  list  of  all  users  having  access  to  each  automated 
information  system.  The  list  should  include  names,  codes,  and  user  IDs. 


Implementation  of  Computer  Security  Policies  and  Procedures 


System  security  personnel  at  MSC  Headquarters  did  not  follow  DoD  computer 
security  policies  and  procedures.  The  ADPSSO  did  not  review  and  adjust  the 
level  of  access  needed  by  and  granted  to  ULB  users.  The  ADPSSO  did  not 
properly  monitor  and  remove  user  IDs  when  access  to  the  ULB  was  no  longer 
required  or  authorized.  In  addition,  MSC  system  security  personnel  did  not  use 
an  available  security  feature  to  control  access  to  the  programs  and  data. 
Consequently,  at  least  31  users  could  alter  ULB  data  without  detection,  and  user 
IDs  of  unauthorized  personnel  were  stiU  in  use.  If  the  ADP  security  officer  and 
ADPSSO  had  periodically  reviewed  security  operations  for  compliance  with 
security  procedures,  these  weaknesses  in  security  could  have  been  corrected. 
MSC  did,  however,  take  prompt  action  to  remedy  some  of  the  problems  we 
found. 

Level  of  Access  to  ULB  Data  and  Programs.  At  least  31  users  at  MSC  could 
alter  ULB  data  without  detection.  The  ADPSSO  did  not  follow  DoD  Directive 
5200.28,  "Security  Requirements  for  Automated  Information  Systems," 
March  21,  1988,  which  requires  the  use  of  the  least-privilege  principle.  Under 
the  least-privilege  principle,  the  system  grants  access  only  to  the  information  to 
which  the  user  is  entitled  by  virtue  of  security  clearance  and  approved  access. 
The  ADPSSO  had  not  reviewed  and  evaluated  the  need  for  user  access  to  the 
MSC  Revenue  Production  Library  (the  Library). 

We  reviewed  the  list  of  personnel  who  had  been  granted  access  to  the  Library, 
which  contains  sensitive  programs  and  files  from  the  ULB.  According  to  the 
ADPSSO  for  the  ULB,  only  a  few  employees  from  the  Information  Resource 
Directorate's  Business  Systems  Division  (the  technical  branch  responsible  for 
program  changes)  have  access  to  the  entire  library.  Employees  from 

operational  branches,  such  as  the  Performance  and  Analysis  Brandi,  should 
have  access  to  only  a  few  files  of  the  library.  However,  we  found  that  all 
31  users  could  alter  ULB  data  without  detection.  MSC  computer  security 
personnel  should  follow  established  procedures  in  DoD  Directive  5200.28  that 
require  the  ADPSSO  to  periodically  review  user  IDs  for  the  level  of  access 
needed  by  users. 

Accountability  for  User  Identification  Codes.  Hie  ADPSSO  did  not  follow 
DoD  and  MSC  guidance  on  accountability  for  user  IDs.  The  ADPSSO  did  act 
periodically  review  user  IDs  to  ensure  that  they  wore  up-to-date.  In  addition, 
MSC  did  not  utilize  a  feature  of  the  existing  security  software  that  would 
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establish  an  audit  frail  for  detecting  user  access.  Consequently,  at  least  seven 
user  IDs  for  unauthorized  personnel  were  still  in  use.  Four  of  the  seven  user 
IDs  could  also  alter  any  ULB  data  without  detection.  In  addition,  we  found  two 
user  IDs  with  high  numbers  of  security  violations.  Security  violations  represent 
unsuccessful  attempts  to  enter  the  system  using  improper  passwords  or  user  IDs. 
These  high  numbers  of  security  violations  may  indicate  that  MSC  employees 
and  contractors  circulated  the  user  IDs  or  passwords  around  the  work  area. 
However,  we  could  not  determine  who  committed  the  violations  or  the  causes  of 
the  violations.  MSC  should  follow  established  procedures  and  cancel  user  IDs 
immediately  upon  termination  of  employment  or  other  appropriate 
circumstances,  and  should  review  computer  access  lists  and  update  them  as 
necessary.  MSC  should  activate  the  Computer  Associates  Access  Control 
Facility  Version  2  software  that  provides  an  audit  trail  erf  user  access. 

Review  of  User  Identification  Codes.  We  reviewed  a  partial  list  of 
ULB  users.  The  list  contained  information  such  as  name,  level  of  access,  and 
number  of  security  violations.  We  noted  the  following  problems  with  access 
controls. 

o  User  ID  one  was  assigned  to  a  forma:  contractor's  employee.  The 
computer  account  was  still  active,  although  the  user  left  MSC  in  August  or 
September  1994.  Another  employee  used  foe  computer  account,  and  at  foe  time 
of  our  review  had  committed  262  security  violations  as  of  the  last  access  date  of 
December  9,  1994.  The  user  could  alter  data  within  the  ULB. 

o  User  ID  two,  assigned  to  a  former  MSC  employee,  was  still  active. 
The  last  access  date  was  February  3,  1995.  The  user  could  alter  data  within  the 

ULB. 

o  User  ID  three,  assigned  to  a  former  MSC  employee,  was  still  in  the 
system.  The  last  access  date  was  December  1,  1993.  The  user  could  alter  data 
within  the  ULB. 

o  User  ID  four,  assigned  to  a  former  employee  of  a  contractor,  was  still 
in  the  system.  The  last  access  date  was  October  3,  1994.  The  user  could  alter 
data  within  the  ULB. 

o  User  ID  five  did  not  specify  a  user  name.  At  the  time  of  our  review, 
the  account  had  committed  218  security  violations  since  the  last  access  date  of 
December  5,  1994. 

o  User  ID  six  listed  only  a  first  name.  The  account  had  committed  five 
security  violations  as  erf  the  last  access  date  of  December  9,  1994. 


o  User  IDs  six  and  seven  are  assigned  to  MSC  contractor  personnel  who 
perform  emergency  support  for  foe  ULB. 

When  these  problems  were  disclosed,  MSC  Headquarters  corrected  the 
discrepancies  associated  with  user  IDs  one,  five,  and  six.  MSC  Headquarters 
also  deleted  four  other  user  IDs.  Based  on  foe  problems  found  in  our  partial 
review,  a  complete  review  of  user  IDs  is  needed. 
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According  to  a  terminal  area  security  officer  at  MSC  Headquarters,  the  user  ID* 
for  departing  employees  are  removed  by  the  customer  support  center  s  stair 
during  an  employee's  check-out.  However,  our  audit  work  showed  that  the  user 
IDs  were  not  being  removed.  MSC  must  establish  computer  security 
procedures  for  immediate  cancellation  of  user  IDs  upon  termination  of 
employment  or  other  appropriate  circumstances. 

MSC  did  not  update  the  access  listings;  therefore,  when  an  old  user  ID  is 
reissued,  the  new  employee  may  automatically  be  given  the  same  level  of 
access,  such  as  the  ability  to  alter  data  within  programs  and  files,  as  the  former 
employee.  MSC  should  delete  access  to  the  files  and  programs  linked  to  foe 
user's  account  after  individual  user  IDs  are  removed.  MSC  should  require 
verification  of  foe  need  for  access  and  verify  the  appropriate  access  levels  before 
issuing  new  user  IDs. 

MSC  maintained  user  IDs  six  and  seven  for  emergency  contractor  support.  This 
was  done  to  allow  foe  contractors  to  recover  quickly  from  an  after-hours  or 
weekend  computer  emergency.  According  to  MSC  Headquarters,  several  days 
would  be  needed  to  reestablish  a  user  ID.  The  need  to  retain  the  user  IDs  may 
be  justified.  However,  allowing  contractor  employees  to  have  continual  access 
to  the  MSC  system  with  few  security  checks  exposes  MSC  Headquarters 
programs  and  data  to  unnecessary  risk.  MSC  Headquarters  should  restrict 
contractors  to  authorized  tasks. 

Computer  Associates  Access  Control  Facility  Version  2  Software* 
DoD  Directive  5200.28  requires  that  MSC  have  safeguards  to  ensure  that  each 
person  with  access  to  the  automated  information  system  is  held  accountable  for 
his  or  her  actions.  Additionally,  DoD  Manual  5200.28-M,  "ADP  Security 
Manual,"  June  25,  1979,  requires  users  to  identify  themselves  to  the  system 
before  gaining  access.  The  Defense  Information  Processing  Center's  mainframe 
computer  has  Access  Control  Facility  Version  2  software  to  control  computer 
security  and  accountability  for  users.  The  software  works  with  foe  computer's 
operating  system  to  control  access  to  foe  computer  by  allowing  access  for  valid 
requests  and  denying  access  for  invalid  attempts.  The  invalid  attempts  ate 
logged  as  security  violations  and  are  tracked  to  individual  user  IDs.  The 
security  software  can  also  record  attempts  at  improper  access  or  attempts  to 
access  sensitive  files.  However,  the  security  log  feature  of  foe  Access  Control 
Facility  Version  2  software  was  not  being  used.  Therefore,  foe  computer 
security  officer  could  not  readily  detect  improper  access  to  foe  system  or  review 
access  to  sensitive  files.  MSC  should  activate  the  security  log  feature  of  the 
Access  Control  Facility  Version  2  software  to  provide  an  audit  trail  of  access  to 
the  ULB  programs  and  data. 

The  problems  associated  with  computer  security  could  have  been  avoided.  DoD 
Directive  5200.28  provided  guidance  on  the  level  of  access  to  security 
programs,  and  DoD  Manual  5200.28  provided  guidance  on  accountability  for 
user  IDs.  If  the  ADP  security  officer  and  his  staff  had  conducted  periodic 
reviews  of  security  operations  for  compliance  with  security  procedures,  these 
weaknesses  in  security  could  have  been  corrected. 
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Training  and  Supervision  of  ADP  Staff 

The  ADP  security  officer  did  not  properly  train  or  supervise  the  ADPSSOs  m 
their  security  responsibilities.  The  ADP  security  officer  provided  inadequate 
technical  training  on  security  to  his  ADPSSOs  and  did  not  execute  his 
supervisory  responsibilities.  ADPSSOs  were  unfamiliar  with  die  requirements 
of  DoD  and  MSC  directives  and  foiled  to  implement  the  guidance.  Because 
security  policies  and  procedures  were  not  implemented,  the  ULB  programs  and 
data  were  vulnerable  to  unauthorized  access  and  changes. 

Training.  OPNAV  Instruction  5239.1 A  states  that  security  training  is  the  key 
element  of  the  Navy's  ADP  security  program.  The  training  can  be  formal  or 
informal,  and  can  range  from  security  awareness  training  for  top-level  managers 
to  highly  technical  security  training  for  ADP  operations  personnel. 

We  reviewed  the  training  for  "Basic  Automated  Information  System 

Security  Awareness,"  July  1994,  provided  to  us  by  foe  ADP  security  officer  at 
MSC  Headquarters.  The  ADP  security  officer  administers  this  1-hour  training 
program  annually  to  terminal  area  security  officers  and  ADP  systems  security 
officers.  The  program  consists  of  briefing  charts  and  a  security  awareness 
video,  emphasizing  security  awareness  for  end  users.  Basic  security  awareness 
training  may  be  adequate  for  terminal  area  security  officers;  however,  because 
of  the  technical  nature  of  foe  ADPSSO  responsibilities,  training  for  foe 
ADPSSOs  should  be  more  specialized.  OPNAV  Instruction  5239. 1A, 
Appendix  D,  outlines  foe  Navy's  ADP  security  curriculum.  The  Navy 
recommends  two  40-hour  ADP  security  courses.  In  addition,  training  on  foe 
administration  of  the  Access  Control  Facility  Version  2  software  could  improve 
the  security  officers'  understanding  of  foe  software's  capabilities.  MSC  should 
revise  the  security  and  training  program  for  ADPSSOs  to  provide  more 
technical  information  on  maintaining  computer  security. 

Supervision.  The  ADP  security  officer  did  not  properly  supervise  the 
ADPSSOs.  The  ADP  security  officer  failed  to  execute  his  responwbditiesas 
defined  in  OPNAV  Instruction  5239.1A  and  COMSC  Instruction  551Q.8D  The 
problems  associated  with  foe  level  of  access  and  foe  user  IDs  occurred  before 
the  current  ADPSSO  was  appointed  on  December  16,  1994.  The  ADP  security 
officer  did  not  ensure  foat  foe  ADPSSOs  adhered  to  policies  and  procedures. 
The  ADPSSOs  were  not  aware  of  basic  security  information  about  foe  ULB. 
Consequently,  foe  ADPSSOs  did  not  properly  perform  foe  duties  or  execute  the 
responsibilities  as  established  in  security  regulations. 

The  Navy  instructions  specified  foe  supervisory  responsibilities  of  foe  ADP 
security  officer.  The  ADP  security  office-  is  responsible  for  training  and 
supervising  the  ADPSSOs.  After  an  ADPSSO  is  appointed,  foe  ADP  security 
officer  should  ensure  that  foe  ADPSSO  follows  existing  security  regulations. 

The  ADPSSOs  were  unaware  of  foe  security  violations  found  during  our  review 
of  the  ULB.  The  ADPSSOs  had  not  reviewed  foe  user  access  listing  to  verify 
need  and  authorization.  In  addition,  foe  ADPSSOs  were  unaware 
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that  seven  user  IDs  for  unauthorized  personnel  were  still  in  use.  Proper 
supervision  from  the  ADP  security  officer  should  have  prevented  those 
shortcomings. 

The  ADP  security  officer  was  aware  of  the  weaknesses  in  computer  security. 
During  the  period  September  24  to  November  4,  1994,  the  ADP  security 
officer,  with  contractor  representatives  and  application  representatives, 
performed  a  risk  assessment  that  included  the  ULB.  The  assessment  showed  toe 
need  for  both  improved  internal  controls  and  an  increased  awareness  of  security 
initiatives  already  taken.  The  assessment  also  showed  the  vulnerability  of  the 
ULB  to  disclosure  of  sensitive  information.  In  addition,  toe  ULB  had  few 
protections  against  fraudulent  diversion  of  program  funds,  and  the  ULB  could 
not  identify  employees  responsible  for  system  changes. 


Conclusion.  The  ADPSSOs  did  not  follow  the  security  policies  pi  procedures 
because  they  lartVfd  training  and  supervision  by  the  ADP  security  officer.  In 
addition,  basic  internal  controls,  such  as  removing  the  user  IDs  of  departing 
MSC  employees,  did  not  work.  User  IDs  were  still  active  several  months  after 
toe  most  recent  access.  Proper  training  and  supervision  must  be  in  place  to 
ensure  effective  computer  security. 


Recommendations,  Management  Comments, 
and  Audit  Response 


B.  We  recommend  that  the  Commander,  Military  Sealift  Command: 

1.  FMftMkh  computer  security  policies  that  direct: 

a.  Verification  of  the  need  for  access  and  verification  of 
appropriate  access  levels  before  issuing  new  user  identification  codes. 

Management  Comments.  MSC  concurred.  The  Automatic  Data  Processing 
Security  Officer  and  toe  project  managers  will  define  access  levels  and  create 
rules  asyxfoted  with  the  groups  for  each  MSC  application.  These  actions  will 
be  completed  by  September  1995. 

b.  Deletion  of  files  and  programs  linked  to  user  accounts 
after  individual  user  identification  codes  are  removed. 

Management  Comments.  MSC  concurred.  MSC  agreed  that  whenever  a 
specific  User  ID  is  deleted,  all  associated  data  sets  should  be  deleted.  MSC 
stated  that  the  deletion  of  associated  data  sets  with  a  specific  user  ID  is 
automatically  done  by  the  data  processing  center.  This  occurs  at  least  once  a 
week.  MSC  will  tair*  action  by  September  1995  to  ensure  that  toe  new  data 
processing  cente**  in  Mechanicsburg  deletes  all  Access  Control  Facility  Version 
2  software  rules  associated  with  a  user  ID. 
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Audit  Response.  Management  comments  were  fully  responsive.  However,  die 
data  processing  center  does  not  automatically  delete  data  sets  associated  with 
specific  user  IDs  scheduled  for  deletion.  We  found  that  the  MSC  requested 
deletion  of  specific  user  IDs  on  January  9,  1995.  On  February  27,  1995,  nearly 
6  weeks  later,  a  list  of  access  programs  and  data  sets  associated  with  the  specific 
user  IDs  to  be  deleted  was  still  in  effect.  The  user  IDs  were  not  deleted  in  the 
next  program  load.  At  the  new  data  processing  center  in  Mechanicsburg, 
Pennsylvania,  MSC  must  ensure  that  all  deletions  of  time  sharing  option 
accounts  and  associated  data  sets  take  place  at  the  same  time.  No  further 
comments  are  required. 

2.  Review  periodically  the  user  identification  codes  and  access  levels 
for  all  employees,  as  required  by  DoD  Directive  5200.28,  "Security 
Requirements  for  Automated  Information  Systems,"  March  21, 1988. 

Management  Comments.  MSC  concurred  and  stated  that  the  review  will  be 
completed  monthly  at  Headquarters  and  Area  Commands.  This  action  will 
begin  in  June  1995  after  the  transition  of  the  Defense  Information  Processing 
Center  from  Washington,  D.C.,  to  Mechanicsburg,  Pennsylvania. 

3.  Cancel  user  identification  codes  immediately  upon  termination  of 
employment  or  other  appropriate  circumstances,  as  required  by  OPNAV 
[Naval  Operations]  Instruction  5239.1A,  "Department  of  the  Navy 
Automatic  Data  Processing  Security  Program,"  April  1, 1985. 

Management  Comments.  MSC  concurred  and  stated  that  the  policy  is  already 
in  effect,  but  will  be  improved  by  immediate  training  of  the  employees  in  the 
MSC  Customer  Support  Center. 

4.  Develop  across  procedures  that  will  restrict  contractor  employees 
to  authorized  ta&s  as  defined  in  DoD  Directive  5200.28,  "Security 
Requirements  for  Automated  Information  Systems,"  March  21,  1988. 

Management  Comments.  MSC  concurred.  Responsible  personnel  will  define 
access  levels  (groups)  and  create  rules  associated  with  these  groups  for  each 
application.  Action  will  be  completed  by  September  1995. 

5.  Activate  the  Access  Control  Facility  Version  2  software  or  other 
access  software  used  by  the  Military  Sealift  Command  to  establish  an  audit 
trail  for  defying  unauthorized  access,  as  defined  in  OPNAV  [Naval 
Operations]  Instruction  5239.1A,  "Department  of  the  Navy  Automatic  Data 
Processing  Security  Program,"  April  1, 1985. 

Management  Comments.  MSC  concurred.  MSC  will  confer  with  the  support 
staff  tor  the  Access  Control  Facility  Version  2  software  to  develop  logon 
accesses  to  the  system  that  do  not  degrade  system  performance.  This  action  will 
be  completed  by  June  1996. 

Audit  Response.  Although  MSC  concurred  with  the  recommendation,  we  do 
not  consider  the  planned  actions  to  be  fully  responsive.  MSC  operates  a 
computer  system  that  does  not  maintain  an  audit  trail  or  log  for  detecting 
unauthorized  access.  This  shortcoming  is  not  in  compliance  with  OPNAV 
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[Naval  Operations]  Instruction  5239. 1A,  "Department  of  the  Navy  Automatic 
Data  Processing  Security  Program,"  April  1,  1985.  All  data  programs 
associated  with  this  system  are  vulnerable  to  unauthorized  access  without 
detection.  This  problem  should  be  corrected  before  June  1996.  We  request  that 
MSC  reconsider  the  completion  date  and  provide  an  explanation  of  the  time 
frame  required  to  implement  this  recommendation. 

6.  Direct  the  automatic  data  processing  security  officer  to  conduct 
norfodir  reviews  of  security  operations  for  compliance  with  security 
dLftaed  taOWA^ “[Naval  Operaiions]L£nK*ion  5239.1A, 


Instruction  5510JD,  May  26, 1992. 


Management  Comments.  MSC  concurred.  The  Automatic  Data  Processing 
Security  officer  will  maintain  exception  reports  with  names  and  relevant  dam  on 
user  IDs.  Lists  of  unauthorized  access  attempts  will  be  part  of  the  audit  trail  by 
June  1996.  Other  exception  reports  will  be  reviewed  to  determine  whether 
action  is  needed.  Reviews  Will  begin  in  January  1996. 


Audit  BrnyuMM*  Although  MSC  concurred  with  the  recommendation,  we  do 
not  cotmier  the  planned  actions  to  be  folly  responsive.  Exception  repents  can 
provide  a  basis  for  conducting  periodic  reviews  of  security  operations. 
However,  waiting  until  January  1996  to  begin  the  review  allows  nearly 
6  months  to  pass  without  a  proper  review  erf  users  who  leave  the  command  or 
user  IDs  of  task-restricted  users.  As  stated  in  the  audit  response  to  management 
comments  on  R<rommfyiffatiral  B.5.,  this  problem  should  be  corrected  before 
June  1996.  We  request  that  MSC  reconsider  the  completion  date  and  provide  an 
explanation  of  the  time  frame  required  to  implement  foe  reviews  of  security 
operations. 

7.  Revise  the  security  and  training  program  for  automatic  data 
processing  systems  security  officers  to  provide  more  technical  information 
on  fhe  Access  Control  Facility  Version  2  software  and  to  comply  with  the 
automatic  data  processing  training  curriculum,  as  defined  in  Appendix  D  of 
OPNAV  [Naval  Operations]  Instruction  5239.1A,  "Department  of  the  Navy 
Automatic  Data  Processing  Security  Program,"  April  1, 1985. 


Management  Comments.  MSC  concurred.  MSC  stated  that  the  security 
tyrymiifl  gad  motet  managers  will  provide  training  in  the  Access  Canton* 
Facility  Version  2  software.  In  addition,  foe  security  officer  will  conduct  an 
annual  refresher  course  in  security.  Training  will  begin  by  January  1996. 


Audit  KesaoaMt.  Although  MSC  concurred  with  foe  recommendation,  we  do 
not  consider  the  ^"p*8**  fully  responsive.  MSC  did  not  address  the  security 
Sfo^TdefotSiir^endii  DofOPNAV  [Naval  Operations]  Instruction 
5235UA  "Department  of  the  Navy  Automatic  Data  Processing  Security 
Program*"  April  1,  19*5.  ADP  training,  in  addition  to  training  on  ‘Je  Accras 
Control  Factory  Version  2  software,  is  required.  We  request  that  MSC 
reconsider  its  position  and  provide  additional  comments  in  its  response  to  foe 
final  report. 
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8.  Direct  the  nufomaHr  data  processing  security  officer  to  properly 
supervise  computer  security  staff  as  required  by  OFNAV  [Naval 
Operations]  Instruction  5239.1A,  "Department  of  the  Navy  Automatic  Data 
Processing  Program, H  May  1,  1985,  and  COMSC  [Commander,  Military 
SeaUftCoanmand]  Instruction  5510.8D,  "COMSC  Security  Manual," 
May  26, 1992. 


lUanagfmpnt  Comments.  MSC  concurred.  The  ADPSO  will  ensure  that  the 
ADPSSOs  maintain  the  required  documentation  and  be  current  on  other 
requirements.  The  ADPSSO  will  provide  security  training  on  automatic 
information  systems  to  users  and  technical  support  personnel  by  January  1996. 


Audit  Management  comments  were  fully  responsive.  However,  in 

listing  the  duties  expected  of  the  ADPSSOs,  MSC  omitted  the  responsibilities  of 
the  ADPSSOs  that  lead  to  the  weaknesses  identified  during  the  audit.  The 
ADPSO  must  ensure  that  the  ADPSSOs  amply  with  the  Navy  instruction, 
which  states  that  the  ADPSSO  should: 


Monitor  system  setivity,  including  identification  of  the  levels  and 
types  of  date  handled  by  the  ADP  systems,  assignment  of  passwords 
and  review  of  audit  tails,  output,  etc.,  to  ensure  compliance  with 
security  directives  and  procedures. 


Management  Comments  Required 

The  Commander,  Military  Sealift  Command,  is  requested  to  comment  on  the  items 
indicated  with  an  X  in  Table  2. 


Table  2.  Management  Comments  Required  on  Finding  B. 


ximmendatioa 

Concur/ 

Proposed 

Completion 

Number 

Action 

Date 

5. 

X 

X 

X 

6. 

X 

X 

X 

7. 

X 

X 

X 
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Scope  and  Methodology 


Our  audit  evaluated  the  internal  control  structure  for  the  Military  Sealift 
Command  portion  of  the  transportation  business  area  of  the  DBOF.  The 
internal  control  structure  is  the  organization,  methods,  and  measures  with  which 
an  organization  performs  its  activities  to  accomplish  its  objectives.  Internal 
controls  are  the  tods  established  by  management  to  accomplish  the 
organization's  objectives. 

The  USTRANSCOM  FY  1993  Statement  of  Financial  Position  was  the  basis  for 
the  preliminary  estimate  of  materiality.  The  four  material  accounts  selected  for 
review  were  Accounts  Receivable;  Property,  Plant,  and  Equipment;  Accounts 
Payable;  and  Other  Non-Federal  Liabilities.  The  review  showed  that  MSC  and 
the  Air  Mobility  Command  made  up  $2.7  billion  out  of  $3.1  billion  reported  in 
USTRANSCOM  FY  1993  financial  statements  for  the  four  selected  accounts. 


To  review  the  Statement  of  Financial  Position,  we  examined  four  ^account 
balances  that  were  determined  to  be  material  based  on  the  USTRANSCOM 
FY  1993  Statement  of  Financial  Position.  We  selected  two  asset  accounts, 
which  made  up  $1.7  billion  out  of  $1.9  billion  of  the  total  assets  reported 
(excluding  Fund  Balances  with  Treasury),  and  two  liability  accounts,  which 
made  up  $1.4  billion  out  of  $1.5  billion  of  total  liabilities  reported.  Accounts 
Receivable;  Property,  Plant,  and  Equipment;  Accounts  Payable;  and  Other 
Non-Federal  t  iahiiirim  were  most  significant  to  the  users  of  the  Statement  ol 
Financial  Position.  At  MSC,  the  accounts  that  were  reviewed  as  part  of  the 
Other  Non-Federal  Liabilities  on  the  consol^ted  ^mOTt  were  hsted  as 
Accrued  Expenses,  (to  the  MSC  portion  of  the  USTRANSCOM  FY  1994 
Statement  of  Financial  Position,  the  two  asset  accounts  totaled  $1.8  billion,  and 
the  two  liability  accounts  totaled  $2.1  billion.  We  did  not  quantify  any  errors 
found  during  the  review.  To  achieve  the  audit  objective,  we: 

o  prepared  the  FY  1994  client  profile  and  account  cycle  memorandums; 


o  the  policies  and  procedures  that  applied  to  MSC  computer 

operations  and  that  created  the  environment  in  which  application  controls  and 
user  control  techniques  operated; 

o  determined  the  level  of  automation  in  the  MSC  automatic  data 
processing  system  and  assessed  the  manual  interfaces  between  systems, 

o  determined  the  reliability  of  compute-processed  data  used  during  the 

audit; 
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o  determined  the  processes  used  to  prepare  the  MSC  financial  statement, 
including  significant  accounting  estimates,  disclosures,  and  computerized 
processing; 

o  determined  the  processing  involved,  from  the  initiation  of  transactions 
to  their  inclusion  in  the  financial  statements,  including  the  nature  and  type  of 
records,  journals,  ledgers,  and  source  documents; 

o  determined  whether  account  transactions  were  valid,  accurate, 
properly  classified,  and  recorded  in  the  proper  accounting  period, 

o  reviewed  the  effectiveness  of  the  MSC  management  control  program 
in  compliance  with  DoD  Directive  5010.38,  "Internal  Management  Control 
Program,”  by  comparing  the  Area  Commands1  Annual  Certification  Statement 
with  the  MSC  Headquarters  Annual  Certification  Letter;  and 

o  assessed  compliance  with  laws  and  regulations  and  standard  operating 
procedures  for  each  account  cycle  memorandum  reviewed. 

Our  review  was  made  primarily  at  MTMC  and  MSC.  The  Air  Force  Audit 
Agency  evaluated  the  adequacy  and  effectiveness  of  selected  internal  contr&s 
and  assessed  compliance  with  laws  and  regulations  applicable  to  the  FY  1994 
Statement  of  Financial  Position  for  the  Airlift  Services  Division  of 
USTRANSCOM.  We  discontinued  our  review  of  MTMC  after  determining  that 
findings  reported  by  the  Army  Audit  Agency  in  its  FY  1992  audit  were  still 
unresolved,  and  after  performing  a  preliminary  assessment  of  accounting 
conditions  at  the  Defense  Accounting  Office,  Bayonne,  New  Jersey. 

Scope  Limitation.  We  limited  our  review  to  four  accounts  on  the  MSC 
Statement  of  Financial  Position  for  FY  1994:  Accounts  Receivable;  Property, 
Plant,  and  Equipment;  Accounts  Payable;  and  Accrued  Expenses.  In  addition, 
we  reviewed  the  management  control  program  and  the  MSC  financial  statement 
reporting  process.  We  did  not  perform  substantive  testing  of  the  transaction* 
supporting  the  account  balances  on  the  FY  1994  Statement  of  Financial 
Position. 

Use  of  Computer-Processed  Data.  To  achieve  the  audit  objective,  we  limited 
our  review  of  computer-processed  data  to  the  data  contained  m  the  ULB  and  toe 
Revenue  Lift  System  at  MSC  Headquarters.  To  assess  the  reliability  of  the 
data  we  observed  the  data  input  to  the  ULB  as  it  first  entered  the  system, 
checked  the  progress  of  the  data  input,  reviewed  output  reports,  and  compared 
the  output  with  the  expected  results.  Based  on  our  limited  review,  we 
considered  the  date  in  toe  ULB  reliable  and  did  not  find  errors  that  would 
preclude  the  use  of  the  computer-processed  data. 

Audit  Period,  Standards,  and  Locations.  This  financial  statement  audit  was 
made  from  June  1994  through  April  1995  in  accordance  with  auditing  standard* 
issued  by  the  Comptroller  General  of  the  United  States  as  implemented  by  the 
Inspector  General,  DoD.  Accordingly,  we  included  such  tests  of  internal 
controls  as  were  considered  necessary.  Appendix  F  lists  the  organizations 
visited  or  contacted  during  the  audit. 
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Management  Control  Program 

DoD  Directive  5010.38,  "Internal  Management  Control  Program," 
April  14,  1987,  requires  DoD  organizations  to  have  internal  control  techniques 
in  place  to  ensure  mat  events  are  occurring  as  desired,  and  to  have  a  program  to 
evaluate  those  controls.  We  determined  whether  MSC  complied  with  DoD 
Directive  5010.38.  Specifically,  we  reviewed  MSC  internal  controls  over  the 
transactions  supporting  account  balances  on  the  Statement  of  Financial  Position 
for  FY  1994  for  Accounts  Receivable;  Property,  Plant,  and  Equipment; 
Accounts  Payable;  and  Accrued  Expenses.  In  addition,  we  reviewed  the 
internal  controls  associated  with  access  and  accountability  in  the  ULB 
application  programs  and  Also,  we  determined  the  extent  to  which  MSC 
evaluated  its  internal  controls  over  accounting  and  related  systems  and  computer 
security  and  the  results  of  any  self-evaluation. 

Adequacy  of  Coatrok.  We  itontifMd  material  internal  control  weaknesses  at 
MSC  as  defined  by  DoD  Directive  5010.38.  MSC  internal  controls  for 
accounting  and  related  systems  were  not  adequate  to  establish  the  transaction 
trail  from  the  account  Mmw  to  transactions  supporting  the  MSC  Statement  of 
Financial  Position  for  FY  1994.  In  addition,  the  internal  controls  far  computer 
security  were  not  advq11?**  to  prevent  unauthorized  access  to  the  ULB 
application  programs  and  data.  Recommendations  A.l.  through  A. 8.  and  B.l. 
through  B.8.,  if  implemented,  will  correct  the  weaknesses.  Although  we  could 
not  quantify  the  potential  monetary  benefits  associated  with  implementing  the 
recommendations,  we  identified  other  potential  benefits.  See  Appendix  E  for  a 
summary  of  die  potential  benefits  resulting  from  the  audit.  A  copy  of  the  report 
will  be  provided  to  the  senior  official  responsible  for  internal  controls  in  the 
Office  of  the  Secretary  of  the  Navy. 

Adequacy  of  MSC  Self-Evaluation  of  Applicable  Internal  Controls.  MSC 
ofjvTaig  identified  am*u>tiag  and  related  systems  as  an  assessable  unit  and,  in 
our  opinion,  correctly  identified  the  risk  associated  with  those  systems  as  high. 
In  its  Annual  Statement  of  Assurance,  MSC  identified  and  reported  material 
internal  control  weaknesses,  such  as  inaccurate  accruals  and  inaccurate  Accounts 
Receivable,  resulting  from  toe  accounting  and  related  systems.  MSC  has 
developed,  bid  has  not  fully  implemented,  procedures  to  correct  the  weaknesses. 
We  found  mat*riAi  internal  control  weaknesses,  not  identified  by 

MSC,  in  the  accounting  and  related  systems.  MSC  had  not: 

o  used  the  DoD  Standard  General  Ledger  chart  of  accounts; 

o  used  the  Allowance  for  Loss  on  Accounts  Receivable  account  from 
the  DoD  chart  of  accounts; 

o  established  procedures  to  substantiate  toe  aging  of  Accounts 
Receivable; 

o  ntaMitor*  standard  mending  procedures  for  substantiating  the  cost 
figures  used  to  accrue  expenses  for  toy  cargo  ships;  and 
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o  required  that  departmental  standard  operating  procedures  and  desk 
procedures  be  developed  for  each  section  of  the  Accounting  Division  and  VIPS 
operations,  and  ensured  that  the  procedures  are  accurate,  updated,  and  readily 
accessible. 

In  addition,  MSC  officials  identified  information  technology  as  an  assessable 
unit,  and  correctly  identified  the  risk  associated  with  computer  security  as  high. 
The  ADP  security  officer  reviewed  the  ULB  access  controls  under  a  risk 
assessment  needed  for  system  accreditation.  However,  although  die  risk 
assessment  correctly  showed  the  same  material  weaknesses  we  identified,  the 
ADP  security  officer  did  not  include  those  results  in  the  management  control 
program  or  implement  corrective  actions.  MSC  officials  could  not  explain  why 
they  did  not  include  the  risk  assessment  results  in  the  management  control 
program  review  or  implement  corrective  actions. 
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Inspector  General,  DoD 


Report  No.  Report  Title 


94-163 

94-161 

94-082 

93-134 

93-110 

92-INS-07 


Management  Data  Used  to  Manage 
the  U.S.  Transportation  Command 
and  the  Military  Department 
Transportation  Organizations 

Consolidated  Statement  of  Financial 
Position  of  the  Defense  Business 
Operations  Fund  for  FY  1993 

Financial  Management  of  the 
Defense  Business  Operations  Fund  - 
FY  1992 

Principal  and  Combining  Financial 
Statements  of  the  Defense  Business 
Operations  Fund  -  FY  1992 

Consolidated  Financial  Statements 
of  the  Defense  Finance  and 
Accounting  Service  Revolving  Fund 
of  the  Defense  Business  Operations 
Fund  -  FY  1992 

United  States  Transportation 
Command 


Date 

June  30,  1994 

June  30,  1994 
April  11,  1994 
June  30,  1993 

June  11,  1993 

January  1992 
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Naval  Audit  Service 


Report  No. 


Report  Title 


010-95  Sponsor-Funded  Equipment  at  December  2,  1994 

Selected  Navy  Defense  Business 
Operations  Fund  Activities 


053-H-94  FY  1993  Consolidating  Financial  June  29,  1994 

Statements  of  the  Department  of  the 
Navy  Defense  Business  Operations 
Fund 


053-H-93  FY  1992  Consolidating  Financial  June  30,  1993 

Statements  of  the  Department  of  the 
Navy  Defense  Business  Operations 
Fund 
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DFAS  Guidance.  Since  the  incorporation  of  USTRANSCOM  into  DBOF 
Transportation,  the  responsibility  for  issuing  accounting  and  financial  reporting 
guidance  to  the  USTRANSCOM  components  has  been  undefined.  DFAS  does 
not  have  clear  procedures  for  the  dissemination  of  accounting  guidance  to  the 
USTRANSCOM  components.  Since  Defense.transportation  activities  have  been 
consolidated,  the  Service  transportation  components  continue  to  rely  on  the 
Service-related  DFAS  Centers  for  accounting  functions  and  guidance.  For 
example,  MSC  did  not  receive  DoD  Regulation  7000. 14-R,  which  required  all 
agencies  to  establish  an  allowance  for  uncollectible  Accounts  Receivable.  As  a 
result,  MSC  followed  the  Navy  Comptroller  Manual,  which  had  not  been 
updated  to  reflect  the  change.  MSC  stated  that  DFAS  Denver  Center  does  not 
inform  MSC  of  changes  in  guidance,  so  MSC  cannot  stay  in  compliance. 

The  DFAS  Denver  Center  is  responsible  for  providing  accounting  and  financial 
reporting  support  for  USTRANSCOM  and  its  components;  however,  the  Center 
had  not  provided  accounting  guidance.  DFAS  Headquarters  needs  to  instruct 
USTRANSCOM  components  in  their  responsibilities  for  accounting  and 
financial  reporting.  The  IG,  DoD,  will  issue  a  separate  audit  report  on 
DoD-wide  problems  with  support  for  accounting  and  financial  reporting. 


Appendix  D.  Selected  Military  Sealift  Command 
Accounting  and  Related  Systems 


Unit  Level  Billing 
it  Revenue  Lift 


MTMC  &  Navy 

WorWwIde.Pcrte^  Proparty|  plant( 
&  Equipment 


Legend 

|  ®  Semiautomat*  d  System 
0  Automated  System 

I  —  Svetem  or  Entity  Outelde  MSC  Heodguartere  | 


This  diagram  shows  how  the  various 
automated  and  semiautomated  systems  Interface 
wfth  the  FMIS  General  Ledger  at  MSC  Headquarters. 


: 

i 

i 

i 
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Appendix  E.  Summary  of  Potential  Benefits 
Resulting  From  Audit 

Recommendation 

Reference 

Description  of  Benefit 

Amount  and/or 
Type  of  Benefit 

A.l.  -  A.3., 

A. 5. 

Compliance.  Provides  compliance 
with  existing  laws  and  DoD 
regulations. 

Nonmonetary. 

A.4.,  A. 6.  - 
A. 8. 

Internal  controls.  Provides  control 
over  the  financial  data  used  in  the 
financial  statements. 

Nonmonetary. 

B.l. 

Internal  controls.  Provides  for 
stricter  controls  over  access  to 
computer  application  programs  and 
data. 

Nonmonetary. 

B.2.  -  B.8. 

Compliance.  Provides  compliance 
with  existing  laws  and  DoD  and 

Navy  regulations. 

Nonmonetary. 

Appendix  F.  Organizations  Visited  or  Contacted 


Office  of  the  Secretary  of  Defense 

Under  Secretary  of  Defense  (Comptroller),  Office  of  the  Deputy  Chief  Financial 
Officer,  Directorate  for  Financial  Review  and  Analysis,  Washington,  DC 


Department  of  the  Army 

Military  Traffic  Management  Command,  Headquarters,  Falls  Church,  VA 

Military  Traffic  Management  Command,  Eastern  Area  Headquarters,  U.S.  Army 

Garrison,  Bayonne,  NJ  ,T  .  .  _  , ,  . 

Military  Traffic  Management  Command,  Western  Area  Headquarters,  Oakland 

Army  Base,  Oakland,  CA 
Army  Audit  Agency,  Alexandria,  VA 


Department  of  the  Navy 

Office  of  the  Assistant  Secretary  of  the  Navy  (Financial  Management  and  Comptroller), 
Office  of  Finance  and  Accounting,  Washington,  DC 
Military  Sealift  Command,  Washington,  DC  . 

Military  Sealift  Command,  Central  Technical  Activity,  Washington,  DC 
Military  Sealift  Command,  Atlantic,  Bayonne,  NJ 
Military  Sealift  Command,  Pacific,  Oakland,  CA 
Naval  Audit  Service,  Falls  Church,  VA 


Department  of  the  Air  Force 

Air  Force  Audit  Agency,  Scott  Air  Force  Base,  EL 


Unified  Command 

U.S.  Transportation  Command,  Scott  Air  Force  Base,  EL 
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Appendix  F.  Organizations  Visited  or  Contacted 


Other  Defense  Organizations 

Defense  Finance  and  Accounting  Service,  Arlington,  VA 

Defense  Finance  and  Accounting  Service  Indianapolis  Center,  Indianapolis,  LN 
Defense  Accounting  Office,  Bayonne,  NJ 
Defense  Accounting  Office,  Arlington,  VA 
Defense  Finance  and  Accounting  Service  Denver  Center,  Denver,  CO 
Defense  Information  Processing  Center,  Defense  Information  Systems  Agency, 
Washington,  DC 
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Office  of  the  Secretary  of  Defense 

Under  Secretary  of  Defense  (Acquisition  and  Technology) 
Director,  Defense  Logistics  Studies  Information  Exchange 
Under  Secretary  of  Defense  (Comptroller) 

Deputy  Chief  Financial  Officer 
Deputy  Comptroller  (Program/Budget) 

Deputy  Under  Secretary  of  Defense  (Logistics) 

Assistant  to  the  Secretary  of  Defense  (Public  Affairs) 


Department  of  the  Army 

Commander,  Military  Traffic  Management  Command 
Auditor  General,  Department  of  the  Army 


Department  of  the  Navy 

Assistant  Secretary  of  the  Navy  (Financial  Management  and  Comptroller) 
Commander,  Military  Sealift  Command 
Auditor  General,  Department  of  the  Navy 


Department  of  the  Air  Force 

Assistant  Secretory  of  the  Air  Force  (Financial  Management  and  Comptroller) 
Commander,  Air  Mobility  Command 
Auditor  General,  Department  of  the  Air  Force 


Unified  Command 

Commander  in  Chief,  U.S.  Transportation  Command 


Appendix  G.  Report  Distribution 


Other  Defense  Organizations 

Director,  Defense  Finance  and  Accounting  Service 

Director,  Defense  Logistics  Agency 

Director,  Defense  Contract  Audit  Agency 

Inspector  General,  Central  Imagery  Office 

Inspector  General,  National  Security  Agency 

Director,  National  Security  Agency,  Audit  and  IMC  Liaison 


Non-Defense  Federal  Organizations 

Office  of  Management  and  Budget  .  .. 

Technical  Information  Center,  National  Security  and  International  Affairs  Division, 
General  Accounting  Office 

r^nir  and  ranking  minority  member  of  each  of  the  following  congressional  committees 
and  subcommittees: 

Senate  Committee  on  Appropriations 

Senate  Subcommittee  on  Defense,  Committee  on  Appropriations 
Senate  Committee  on  Armed  Services 
Senate  Committee  on  Governmental  Affairs 
House  Committee  an  Appropriations 

House  Subcommittee  cm  National  Security,  Committee  on  Appropriations 
House  Committee  on  Government  Reform  and  Oversight 

House  Subcommittee  on  National  Security,  International  Affairs,  and  Criminal 
Justice,  Committee  on  Government  Reform  and  Oversight 
House  Committee  on  National  Security 
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Military  Sealift  Command  Comments 


UNITED  STATES  TRANSPORTATION  COMMAND 

1H  SOOTT  DM 

•OOUAMKWOCftUCL  CXOltCT 


12  June  1993 

MEMORANDUM  FOR  DoD  IC  (Ms.  Barbara  Sauls) 

400  Army  Navy  Drive 
Arlington  VA  32203*2114 

FROM:  TCJi 

SUBJECT:  Do D  XG  Draft  Audit  Report  on  Management  Control*  for 
the  Military  Saalift  Command  Portion  of  tba 
Transportation  Bus inass  Araa  of  tha  FY94  Da fans* 
Busiaass  Oparatio ns  Fund  Financial  Statements 
(Project  No.  4FH-2011) 

1.  Attachsd  is  tha  Military  Saalift  conmand's  raspons*  to 
autojact  draft  audit  raport.  Wa  concur  with  thair  input. 

2.  USTRANSCOM/TCJS  is  fully  avar*  of  tha  Many  daficiancias  in 
tha  accounting  systaas  currently  supporting  DBOF-T,  and  wa  raport 
problaa  areas  in  tha  Chiaf  Financial  Officers'  (CFO)  Act  in  our 
CFO  Annual  Statement  of  Assurance.  Me  are  working  diligently 
with  Defane*  Accounting  and  Finance  and  tha  Transportation 
Component  Ceamande  t*  aalaat  an  inter  in  migratory  accounting 
system  to  support  DftOF**  until  a  Da0~vid*  standardised  system 
becomes  available.  Our  efforts  should  result  in  preventing  the 
types  of  problsms  identified  in  tha  Dot)  XO  report,  a.g.,  not 
using  DoD  standard  General  Ledger  chart  of  accounts. 


Director,  Program  Analysis 
and  Financial  Management 


Attachment : 

COMSC  Ltr,  9  Jun  fS  w/Atoh 
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CORSC  RESPONSE 
TO 

DODIG  AUDIT  REPORT 

•MANAGEMENT  CONTROLS  FOR  THE  MILITARY  SEALIFT  COMMAND  PORTION  OF 
THE  TRANSPORTATION  BUSINESS  AREA  OF  THE  FY  1994  DBFENSE 
BUSINESS  OPERATIONS  FUND  FINANCIAL  STATEMENTS 
(PROJECT  NO.  4FH-2011) " 

OF 

12  MAY  95 


lfr^>«datinn  xi .  Use  the  DoD  Stendmrd  General  Ledger  Chart  of 
Accounts  ae  required  by  DoD  Regulation  7000. 14-R,  *DoD  Financial 
Management,'  Volume  1,  May  1993. 

nnwar  concur  in  part.  MSC  hae  developed  a  crosswalk  to 

the  DoD  Chart  of  Account*  (COA)  for  reporting  to  DFAS-Denver . 

The  MSC  accounting  *y*tem  (FMIS)  ie  currently  being  reviewed 
along  with  the  Corps  of  Engineers  Financial  Management  System 
(CEFMS)  for  the  interim  migratory  transport at ion  financial 
system.  The  resources  required  to  make  thie  change  are 
significant  and  it  i»  euggeated  that  thia  be  held  in  abeyance 
until  the  FMIS  ve.  CEFMS  decision  ie  made.  If  FMIS  is  chosen, 
the  DoD  COA  will  be  utilised, 

ISflfl—sadBfciaa  A2.  U*e  of  Allowance  for  Lose  on  Account* 
Receivable  account  from  the  DoD  COA  and  establish  the  criteria 
for  determining  the  allowance  for  FY  1995,  as  stated  in  DoD 
Regulation  7000. 14 -R,  "DoD  Financial  Management,'  Volume  1,  May 
1993. 

rnaf*g  £ant at  Concur.  MSC  will  establish  an  Allowance  for  Loss 
on  Accounts  Receivable  and  establish  the  criteria  for  determining 
the  allowance  before  the  end  of  FY  95. 


**  stop  estimating  the  aging  data  for  Accounts 
Receivable  and  establish  procedures  that  use  data  in  the  eging  of 
Accounts  Receivabl*  as  required  ia  Do D  Regulation  7000. 14-R,  *DoD 
Financial  Management,'  Volume  1,  Mey  1993. 

Pf^HP  QamAJaL  Concur.  COMSC  ie  now  using  actual  data  for  aging 
of  Accounts  Receivable.  MSC's  ACCESS  based  system,  now  in  place, 
hae  this  capability.  Action  ie  complete. 


14-  Implement  procedures  to  analyse  and  document 
whether  the  new  Cargo  Accrual  System  effectively  corrects  the 
deficiencies  in  the  Financial  Information  System. 
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Concur.  Under  th«  new  Cargo  Accrual  System 
rev.nu*  and  axpan.e  rtipwcnt,  worksheet,  »r«  »uto»«tic«lly 
developed  at  the  aa»e  tiaa  ueing  the  aaiee  ■°urc*j|°c'j"*n*  ‘  ,  . 

Revenue  and  expense  workload  aust  be  matched.  Bxpaneae  unpaid 
and  revenues  unbilled  ara  aut  optically  cal  cu  la  tad  at  tha  and  of 
tha  month,  worksheets  a ad  financial  raaulta  undar  tha  new  Cargo 
Accrual  Syataai  ara  continually  being  reviewed  and  analysed  by 
COMSCLANT ,  COHSCPAC,  and  COHSC  personnel. 

promptly  takan  with  any  system  problems  idantifiad.  Action  ia 
conaidarad  complete. 

— ■ - .ration  11.  Follow  procedures  to  validate  tha  Vessel 

Information  Planning  and  Analysis  *yatam 
establish  Accrued  Inpansss,  ns  stated  in  Military 
instruction  4*10. 32D,  "Vessel  Information  Planning  and  Analysis 
System  (VIPS)  Reporting  Instructions, *  September  4,  1990. 

rriMlir  rn^anr  Concur.  VIP*  raplacamant  prototypa  (undar  IC3 
migration  project)  will  provide  accruad  expenses  either  through 
direct  interface  or  indirect  <via  diskette)  in  accordance  with 
COHfiCIKST  4«10.3 2D.  Prototype  ia  expected  to  be  coaplata  in 
December  1995. 


- - at.  establish  standard  operating  procedures  for 

substantiating  the  cost  figurss  used  to  accrue  dry  cargo 

expenses . 

rflM«c  CamMUt  Concur.  VIPS  raplacamant  system  will  provide 
accruad  expanses  in  accordance  with  COHSCIMT  4110. 32D. 

Prototypa  la  expected  to  be  completed  in  December  1995. 

AT.  Determine  tbe  training  naads  of  paraonnal  who 
work  with  tha  Vassal  Information  Planning  and  Analysis  Syntnm  and 
provida  training  on  the  ralated  regulations. 


__________  Ccsicur ,  VIPS  currently  has  available  a  Users 

Manual  along  with  several  technical  guides.  A  training 
environment  or  tutorial  will  be  developed  for  tha  VIPS  prototype 
system.  Tha  prototypa  is  expected  to  be  completed  in  December 
1995. 


- - e-ew  as  Develop  departmental  standard  operating 

procedures  and  desk  ptsesdoe*  for  each  section  of  tbe  accounting 
division  and  Vassal  Infoimstisn  Planning  and  Analysis  System 
operations  and  verify  that  tbs  procedures  are  accurate,  updated 
and  readily  accessible. 


2 
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Pf»jnp  r>— "»  Concur.  Proc«dur«»  will  ha  *avalop«d  in 
conjunction  with  chnnf.a  in  VIPS  and  recounting  P|;f  •*“••• 
Raanginaarin*  .Hort.  at  MSC  and  autc«.tion  affort.  und.r  w«y 
vill  all  impact  on  thss*  procedure*.  Target  completion  date  i* 
end  of  FY  95. 

?Sft - m1-  Katabliah  coaput.r  aacurity  pelleiM  < eh«t 

diract  verification  of  tha  naad  for  accaaa  and  wrlfi«tUo  of 
appropriata  accaaa  lavala  bafora  iaauing  naw  uear  identification 
code#. 

rragar  rr— anr  Concur.  The  ADP9S0  end  the  project  managers  will 
define  acceae  levela  (group*)  and  create  rule*  associated 
the  groups,  for  each  MSC  application.  This  will  be  completed  by 
September  1995. 

Iinnman a i-b.  Sstablish  computer  security  policies  that 
direct  deletion  of  files  end  program*  linked  to  user  account* 
after  individual  user  identification  code*  are  removed. 

CCMMC  Praam inf  Concur.  Por  Date  Seta  associated  with  e  specific 

User  ID,  thia  service  is  provided  toy  our  DPC  automatically .  Once 
a  User  ID  is  deleted,  all  associated  data  sate  are  deleted  during 
the  next  IPL  of  the  system.  This  occurs,  at  minimum,  on  a  weekly 
basis.  MSC  will  take  action,  by  September  1995  to  see  that  ©ur 
new  DPC  (DMC  Mechaniesburg)  takes  action  to  delete  all  ACF2  rules 
associated  with  e  User  ID  that  is  being  deleted. 

Review  periodically  the  user  ifen^i^c^on 
code*  and  access  levels  for  all  employees,  as  required  by  DoD 
Directive  5200. 25,  "Security  Requirements  for  Automated 
Information  System*,*  March  21,  19M. 

rfl1|r  Concur.  Review  will  be  coinpleted  monthly  at 

Headquarters  and  Arts  Commands  and  corrections  will  be  made  as 
needed.  This  will  begin  upon  the  completion  of  transition  from 
DIPC  Washington  to  ONC  Mechaniesburg  in  June  1995. 

Uiammmamxlai  *1.  Cancel  user  identification  codes  immediately 
upon  termination  of  employment  or  other  appropriate 
circumstances,  as  required  by  OPHAV  [Weval  Operations! 

Instruction  si 3 9. 1A,  -Department  of  the  Wavy  Automatic  Data 
Processing  Security  Program,*  March  21,  1M*. 

rmt^  fitui  Concur.  Thi*  policy  is  already  in  effect  and 
be  improved  toy  providing  immediate  training  to  the  MSC 
Customer  Support  Center  employee*  to  nek*  ume  of  "Report  of 
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Accessions  and  Separations*  which  i»  prepared  by  the  COMSC 
Personnel  Office.  Action  le  complete . 

»4.  Develop  access  procedures  that  will  restrict 
contractor  employee*  to  authorised  tasks  as  defined  in  DoD 
Directive  5200. 28,  'Security  Nequirements  for  Automated 
Information  Systems, *  March  21,  1988. 

pfMn  Concur.  By  September  1995  the  ADP8S0  and  the 

project  managere  will  define  access  levels  (groups)  and  create 
rules  aasociatad  with  these  Groups,  for  each  MSC  application. 

p.rwn.iitiflp  as.  Activate  the  Access  Control  Facility  Version 
2  software  or  other  access  software  used  by  the  Military  Sealift 
Command  to  establish  an  audit  trail  for  detecting  unauthorised 
access,  aa  defined  in  OPNAV  {Naval  Operations)  Instruction 
523 9. 1A,  "Department  of  the  Navy  Automatic  Data  Processing 
Security  Program,*  April  1,  1985. 

GSM&Q-CamMiiL-  Concur.  MSC  will  confer  with  the  new  DPC  (DMC 
Mechanicsburg)  ACF-2  support  people  to  balance  the  level  of 
logging  with  the  system  overhead  required  to  log  accesses  to 
reduce  degrading  performance  of  the  system.  This  will  be 
completed  by  June  1994. 

.ndtfcion  ms.  Direct  the  automatic  data  processing  security 
officer  to  conduct  periodic  reviews  of  security  operations  for 
compliance  with  security  procedures,  as  defined  in  OPNAV  {Naval 
Operations)  Instruction  5239. 1A,  "Department  of  the  Navy 
Automatic  Data  Procassing  Security  Program,"  April  1,  1985,  and 
COMSC  (Commander  Military  Sealift  Command)  Instruction  551Q.8D, 
May  26,  1992. 

must?  Concur.  The  ADPSO  will  direct  the  ADPSSOs  to 

maintain  in  their  files  an  exception  report  with  entries  of,  ID 
codes  of  users  who  have  left,  names  of  (verification  in  progress) 
prospective  user  ID  codes,  ID  codes  of  task-restricted  users,  ID 
codes  of  users  to  ba  raviawad  along  with  unauthorised  access 
attempts  recorded  the  audit  trail  by  June  1996.  The  ADPSO  will 
periodically  do  joint  review,  along  with  the  ADPSSO  of  each  ais, 
of  Che  exception  reports,  to  ensure  that  all  exceptions  era  being 
tracked  end  worked.  Theee  review#  will  commence  January  1996. 

|Tr^—> ai-  Be  vise  the  security  and  training  program  for 
automatic  data  processing  systems  security  officare  to  provide 
more  technical  information  on  automatic  data  processing  training 
curriculum,  as  defined  in  Appendix  D  of  OPNAV  [Naval  Operations] 
Instruction  5239. 1A,  "Department  of  the  Navy  Automatic  Data 
Processing  Security  Program,*  April  1,  1985. 
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CQUfiC-CflOunt.  Concur.  Th*  MSC  ADPSO  and  tha  CTA  pro j act 
manager*  will  work  with  tha  naw  DPC  <DMC  Mechanicsburg)  ACF  atsff 
to  aat  up  training  for  the  MSC  and  CTA  ADPSSOe,  to  gain 
proficiency  in  uaing  tha  ACF2  Facility  to  affectively  control 
ace***  to  tha  MSC  A1S  application*  running  at  the  Machanicaburg 
facility,  and  to  properly  apply  option*  of  tha  ACF2  audit 
capability.  Tha  ADPSO  will  conduct  an  annual  refresher  overview 
of  duties.  Training  will  begin  by  January  1995. 

»dflflM>iBdstioa  if.  Diract  the  automatic  data  processing  security 
officer  to  properly  supervise  computer  security  staff  as  required 
by  OPNAV  [Havel  Operations]  Instruction  5239. 1A,  'Department  of 
the  Navy  Automatic  Data  Processing  Program,*  May  1,  19S5,  and 
COMSC  [Commander,  Military  Sealift  Command]  Instruction  5510. 9D, 
“COMSC  Security  Manuel,*  May  25,  1992. 

COMSC  Cewnint.  Concur.  The  ADPSO  will  ensure  that  ADPSSO* 
maintain  documentation  in  support  of  accreditation,  to  keep 
current  the  AIS  Security  Plan,  Riak  Assessment,  Security  Teat  and 
Evaluation (ST&E) ,  and  Contingent  Plan,  maintain  up-to-date 
inventory  of  hardware  end  currently  Implemented  application 
release*.  The  ADPSO  will  ensure  the  ADPSSOs  provide  applicable 
users  and  TASOs  with  annual  training  sessions  on  AIS  security  to 
their  systems  by  Januery  1995. 


On— eats  en  Vialiaf  A 

Management's  comments  on  Finding  A  in  this  report  were  omitted. 
Changes  to  the  finding  were  made,  as  appropriate,  for  olarity  and 
accuracy. 
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